can verify commitment to make sure whether parameter
distributor is being attacked or not.
(5) Verifiable Parameter Distribution Module.Usingtheidea
of Feldman’s [ 21 ] verification. First, publicize bivariate one-
way function퐻(푥, 푦). In each threshold signature process,
parameter distributor generates polynomial with푛 1 −1orders
which corresponds to set퐴participants:
퐺(푥)=
푛 1 −1
∑
푖=1푢푖푥mod푝푛^1. (16)Our model uses the primitive element in the finite fields
퐺퐹(푝푛^1 ),whichis푔 1 ,tocomputethenumberoftheoperation
rounds, which is푟∗, according to the Poisson distribution
with parameter휆, and then distribute the points sequence:
(푥1푖,푦1푖) = (퐻 (푠1푖,푔푟
∗
1 ),퐺(푥1푖)) (푖=0,1,...,푛 1 −1).
(17)Then it arbitrarily selects푛 1 −푡 1 points in the field of퐹푝푛 1 (푥, 푦)
except the ones in the equation ( 17 ), and publish them to the
public.
Then it saves the vector
푠1푖 (푖=0,1,...,2푛 1 −푡 1 −1), (18)and calls Pedersen’s bit commitment module.
After that, it broadcasts:
푉푖=푔푢 1 푖mod푝푛^1 (푖=0,1,...,푛 1 −1). (19)Send each participant in set퐴:
TPK푖=[푎푖+퐺( 0 )]mod푝푛^1 ,(푖=1,2,...,푛 1 ,푎푖∈퐺퐹(푞)∗,퐺( 0 )∈퐺퐹(푝푛^1 )∗>sup푎푖).
(20)In the set퐵, the parameter distributor generates the primitive
element, which is푔 2 ,intheinfinitefield퐺퐹(푝푛2), according
to this polynomial with푛 2 −1orders:
퐿(푥)=
푛 2 −1
∑
푖=1푙푖푥mod푝푛^2. (21)And then, with the rounds number푟∗noted before, the
system distributes publish the points sequence:
(푥2푖,푦2푖) = (퐻 (푠2푖,푔푟
∗
2 ),퐿(푥2푖))(푖=0,1,...,푛 2 −1).(22)
We adopt (푛 2 ,푡 2 ) threshold structure constructed by matrix
method.푡 2 players in set퐵participate in the repeated games
andrecoverthesecret푆using the published푛 2 −푡 2 points.
As a result, the players in set퐴can input푆after they get the
general term formula of homogeneous constant coefficient
linear differential equation.
Save vector푠2푖 (푖=0,1,...,2푛 2 −푡 2 −1). (23)And call Pedersen’s bit commitment module.
After that, it broadcasts:푊푖=푔 2 푙푖mod푝푛^2 (푖=0,1,...,푛 2 −1). (24)Send each participant in set퐵:TPK푗=[푆+퐿( 0 )]mod푝푛^2 ,(푗=1,2,...,푛 2 ,푆∈퐺퐹(푝)∗,퐿( 0 )∈퐺퐹(푝푛^2 )∗>푆).(25)
Theorem 5.The model is verifiable.Proof.When distributing point’s sequence and broadcasting
corresponding authentication information, participants can
simultaneously verify the information.
Set퐴participants verify푔퐺(푥 1 1푖)=
푛 1 −1
∏
푗=0푉
푥푗1푖
푖 mod푝푛 (^1) (푖=0,1,...,푛
1 −1). (26)
Set퐵participants verify
푔 2 퐿(푥2푖)=
푛 2 −1
∏
푗=0푊
푥푗2푖
푖 mod푝푛 (^2) (푖=0,1,...,푛
2 −1). (27)
If the verification succeeds, participants can trust the infor-
mation sent by others.
(6) Participants. Participants in two different permissions
together constitute the threshold structure(푛 1 +푛 2 ,푡 1 +푡 2 ).
In addition,|퐴| = 푛 1 |퐵| = 푛 2 , and the threshold values are
|퐴|threshold=푡 1 and|퐵|threshold=푡 2.
(7) Okamoto Signature Module. After calculating the thresh-
oldsignatureprivatekey,takeTSK=푎푆as the first private key
component of the signature module, while the second private
key component is generated by public key signature method;
select private keys; and publicize public keys, respectively.
The model adopts Okamoto signature algorithm to signature
finally.
Theorem 6.The model can resist conspiracy attack.
Proof.The second component of the private key in Okamoto
signature algorithm can avoid conspiracy attacks which are
performed by using general term formula to get other par-
ticipants’ private keys when meeting the threshold condition
to calculate homogeneous linear differential equations with
constant coefficients general term formula in original model.
The second component of everyone’s private key has to be
keptprivatelybyeachindividual.Onconditionthatthe
second component of the private key ensures the privacy, the
threshold signature cannot be forged. Furthermore, we can
establish a mechanism, that is when there is a dispute, the
system will check every participant involving the process of
signature arise disputes.