Enhancing Efficiency in Trustless Cryptography: An Optimized SM9-Based Distributed Key Generation Scheme

Abstract

Intelligent systems are those in which behavior is determined by environmental inputs, and actions are taken to maximize the probability of achieving specific goals. Intelligent systems are widely applied across various fields, particularly in distributed intelligent systems. At the same time, due to the extensive interaction with user data, intelligent systems face significant challenges regarding security. This study proposes an optimized distributed key generation (DKG) scheme for identity-based cryptography (IBC) using the SM9 standard. Our scheme introduces a (t, n)-threshold system that functions without a trusted center, addressing the vulnerability of single points of failure in conventional key generation centers (KGCs). We reduce communication and computational demands by refining the Paillier share transformation protocol, ensuring efficient, centerless operations. The scheme’s security, validated in the existential unforgeability against adaptive chosen identity attacks (EUF-CIA) model, demonstrates its practical applicability and enhanced security for distributed intelligent systems.

1. Introduction

Intelligent systems are those in which behavior is determined by environmental inputs, and actions are taken to maximize the probability of achieving specific goals. Intelligent systems are widely applied across various fields [1], such as transportation [2], healthcare [3,4], smart homes [5], and the Internet of Things, providing more efficient and intelligent services to humanity [4]. However, the integration of different technologies and extensive interaction with user data also creates opportunities for malicious activities, posing significant challenges to the security of intelligent systems [1]. In recent years, significant research has focused on the role of intelligent systems in enhancing cybersecurity. There is an increasing discourse around the applications of artificial intelligence (AI), machine learning, and deep learning within the field of cybersecurity [6,7]. Authentication technology is particularly critical in this context, especially within distributed intelligent systems, where ensuring identity security becomes a top priority.

The distributed key generation (DKG) technique, a multifaceted cryptographic protocol, engages numerous participants with the primary objective of bolstering the security and dependability of network applications. This property is achieved through the collaborative and secure generation and management of cryptographic keys in a distributed architecture. The strategic allocation and storage of key fragments across multiple key generation centers (KGCs), facilitated through collective negotiation, markedly reduces the vulnerabilities associated with single-point failures and the potential for privileged misuse. In contemporary practice, DKG methods have been extensively applied to facilitate secure communications among various users, underpinning their significance in the current digital communication context.

Pedersen [8] introduced a pioneering DKG protocol designed for discrete logarithm-based threshold cryptographic systems, which has also been used as a subprotocol in cryptographic signature and decryption computations. Notably, the initial protocol lacked a comprehensive elucidation of the security framework of the protocol. This gap was addressed by Gennaro et al. [9], who not only identified and articulated the security shortcomings of Pedersen’s approach but also developed and rigorously proved the security of an enhanced DKG protocol. This novel protocol advances security measures without compromising operational efficiency. Furthermore, Gennaro et al. [10] extended their study by integrating Pedersen’s protocol within Schnorr [11] signatures.

In a major stride towards practical deployment, Kate and Goldberg [12] unveiled the inaugural application of the DKG framework in an internet setting by establishing a proven secret sharing mechanism. Concurrently, Fouque and Stern [13], Zhang and Imai [14], and Canny and Sorkin [15] explored noninteractive and scalable DKG protocols. Zhang and Wang [16] introduced a versatile DKG protocol based on a discrete logarithmic public key infrastructure. Characterized by minimal data requirements for secret preservation, assured randomness, and uniform private key distribution, this protocol can be distinguished because of its various applications in group cryptography beyond conventional threshold structures.

To further advance the field, Zhang [17] proposed a DKG protocol grounded in information-theoretic security principles that featured a verifiable secret sharing scheme adapted to vector space access structures and complete security proof. Zha et al. [18] developed an adaptive DKG scheme that facilitates dynamic membership changes, thereby enhancing system efficiency. Zhang and Zhang [19] focused on bilinear group applications, and Wang et al. [20] introduced a DKG algorithm designed for the Lewko–Waters identity encryption protocol, thereby significantly bolstering the resilience and robustness of its key management system. Lindell and Nof [21] proposed an elliptic curve digital signature algorithm (ECDSA)-based DKG protocol by incorporating zero-knowledge proofs to safeguard against dishonest participation. Finally, Gennaro and Goldfeder [22] introduced a threshold DKG protocol within ECDSA by employing a homomorphic share transformation protocol to potentially minimize participant numbers.

In 1984, Shamir [23] introduced a groundbreaking identity-based cryptosystem, demonstrating a seminal advancement in identity-based cryptography (IBC). This system innovatively employs a unique identifier as the public key, thereby greatly streamlining the key management process by eliminating the conventional key distribution paradigm inherent in traditional public key cryptography. In this framework, a user’s public key is algorithmically derived from a unique identifier, thereby obviating the need for a certifying authority to validate the authenticity of the public key. This mechanism enhances the security profile of the system by centralizing the generation and distribution of private keys to the users through the KGC [24], although the notion of private keys being exclusive to the user is thus redefined. Despite the efficacy of IBC in bolstering security within zero-trust network environments, the secure deployment of such a public key infrastructure poses considerable challenges [25].

In 2016, the advent of the identity-based cryptographic algorithm SM9, released by the China Cryptography Administration [26], marked a significant milestone in cryptographic standards. Notably, the digital signature algorithm component of SM9 has been recognized and adopted by the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) international standards, underscoring its global acceptance and reliability. As the sole identity cipher algorithm standard emanating from China, SM9 plays a pivotal role in safeguarding the integrity and confidentiality of information systems across various sectors by handling commercial secrets within the country [27]. The widespread deployment of SM9 identity-based cryptographic algorithms across numerous domains attests to their foundational contribution to ensuring the security of China’s autonomously controlled infrastructure networks.

Recent studies have explored various facets of the SM9 DKG scheme, yielding noteworthy advancements and identifying persistent challenges (

Table 1. Distributed key generation protocol based on SM9.

Scheme	Number of Parties	(t,n) Threshold	Relationship Between t and n	System Cost
Ma [28]	Multi-party	√	n ≥ 2t−1	Moderate
Zhang et al. [25]	Multi-party	√	n ≥ 2t−1	Moderate
Tu et al. [29]	Multi-party	√	n ≥ t	High
Yu et al. [30]	Two-party	×	n = t = 2	Low

). Ma [28] introduced a threshold DKG protocol by leveraging the SM9 algorithm, which is notable for its requirement of a relatively high number of participants. Similarly, Zhang et al. [25] developed an SM9-based threshold protocol and encountered analogous concerns regarding participant numbers. Tu et al. [29] investigated the domain of homomorphic secure multi-party computation to propose an SM9 threshold protocol that can accommodate various application scenarios within the threshold DKG framework. However, reliance on homomorphic encryption introduces a significant computational overhead, thereby limiting its practicality. Conversely, Yu et al. [30] presented a distributed identity cryptography management scheme that, although innovative, is constrained to bipartite protocol implementation, thus restricting its broader applicability.

In the context of SM9 DKG, where t denotes the number of KGCs actively participating in the key generation process and n denotes the total number of KGCs with secret shares, our analysis reveals a critical observation. Among the various schemes reviewed, only the one proposed by Tu et al. [30] achieves the optimal threshold value (t), which is a crucial metric for system security and reliability. However, this achievement comes at a significant cost, thus rendering the system impractical for widespread deployment due to excessive overheads. In contrast, our proposed scheme attains this optimal threshold value and introduces substantial reductions in the system costs. These two advantages significantly enhance the practicability of our scheme, positioning it as a more viable solution for real-world applications.

The main contribution of this study concerns an enhanced (t,n)-threshold DKG scheme based on SM9, devoid of reliance on trusted centers, called the SM9-based lightweight DKG scheme. Our innovative approach significantly mitigates the communication overhead and computational demands of the Paillier homomorphic encryption and decryption processes by refining the Paillier share transformation protocol while maintaining the optimal threshold value. Furthermore, we rigorously demonstrate the security of our scheme within the existential unforgeability against adaptive chosen identity attack (EUF-CIA) model, providing a formal security proof that establishes the reduction in our scheme to the τ-BCAA1 problem under the random oracle model.

2. Preliminaries

2.1. Shamir Threshold Secret Sharing Scheme

The Shamir threshold secret sharing scheme, introduced by Shamir et al. in 1979, is a foundational cryptographic protocol designed to distribute and reconstruct secrets securely. It operates on the principles of the Lagrange interpolation theorem and can be delineated into two primary phases. Figure 1 shows the flowchart of the Shamir threshold secret sharing scheme.

• Distribution Stage

In this initial phase, the dealer, aiming to securely share a secret, first selects arbitrary coefficients $a_i$ from the multiplicative group ${\mathit{Z}}_{\mathit{N}}^{\mathit{*}}$ for $\mathbf{i}\mathbf{=}\mathbf{0}$ to $\mathit{t}-\mathbf{1}$, where $\mathit{t}$ denotes the threshold number of participants required for secret reconstruction. The dealer then chooses $n$ distinct, non-zero elements ${\mathit{x}}_{\mathit{i}}$ from ${\mathit{Z}}_{\mathit{N}}^{\mathit{*}}$, formulating a polynomial $\mathit{f}\left(\mathit{x}\right)={\sum }_{\mathit{i}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{a}}_{\mathit{i}}{\mathit{x}}^{\mathit{i}}$, where ${\mathit{a}}_{\mathbf{0}}$ represents the secret. Subsequently, the dealer computes the shares ${\mathit{s}}_{\mathit{i}}=\mathit{f}\left({\mathit{x}}_{\mathit{i}}\right)$ for each participant $U_i$, distributing them accordingly.

2.

Recovery Stage

During the reconstruction phase, any group of $\mathit{t}$ participants can collaboratively recreate the original polynomial $\mathit{f}\left(\mathit{x}\right)$ utilizing the Lagrange interpolation theorem. By setting $\mathit{x}=\mathbf{0}$, the secret ${\mathit{a}}_{\mathbf{0}}$ is revealed through the formula: ${\mathit{a}}_{\mathbf{0}}={\sum }_{\mathit{i}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{s}}_{\mathit{i}}{\mathbf{\prod }}_{\mathit{j}=\mathbf{0}\cap \mathit{j}\ne \mathit{i}}^{\mathit{t}-\mathbf{1}}{\displaystyle \frac{{\mathit{x}}_{\mathit{j}}}{{\mathit{x}}_{\mathit{j}}-{\mathit{x}}_{\mathit{i}}}}$.

2.2. Paillier Homomorphic Encryption Algorithm

The Paillier homomorphic encryption algorithm, predicated on the complexity of the residual class problem, is a pivotal cryptographic scheme for encrypted data processing. This algorithm encompasses three principal steps:

• Key Generation

  (a)

  Begin by selecting two large prime numbers $\mathit{p}$ and $\mathit{q}$ of identical length, ensuring that $\mathit{g}\mathit{c}\mathit{d}\left(\mathit{p}\mathit{q},\left(\mathit{p}-\mathbf{1}\right)\left(\mathit{q}-\mathbf{1}\right)\right)=$1, where $\mathit{g}\mathit{c}\mathit{d}$ represents the Greatest Common Divisor.

  (b)

  Calculate $\mathit{n}=\mathit{p}\mathit{q}$ and $\mathit{\lambda }=\mathit{l}\mathit{c}\mathit{m}\left(\mathit{p}-\mathbf{1},\mathit{q}-\mathbf{1}\right)$, where $\mathit{l}\mathit{c}\mathit{m}$ represents the Least Common Multiple.

  (c)

  Set $\mathit{g}=\mathit{n}+\mathbf{1}$, and define the function $\mathit{L}\left(\mathit{x}\right)={\displaystyle \frac{\mathit{x}-\mathbf{1}}{\mathit{n}}}$. Compute $\mathit{\mu }={\left(\mathit{L}\left({\mathit{g}}^{\mathit{\lambda }}\mathit{m}\mathit{o}\mathit{d} {\mathit{n}}^{\mathbf{2}}\right)\right)}^{-\mathbf{1}}\mathit{m}\mathit{o}\mathit{d} \mathit{n}$, where $\mathit{m}\mathit{o}\mathit{d}$ represents the modulus operation.

  (d)

  The public key is given by $\left(\mathit{n},\mathit{g}\right)$, and the private key by $\left(\mathit{\lambda },\mathit{\mu }\right)$.

• Encryption

  (a)

  For a message $\mathit{m}$ within the range $\left[\mathbf{0},\mathit{n}\right]$, select a random number $\mathit{r}$ from ${\mathit{Z}}_{\mathit{n}}^{\mathit{*}}$ where $\mathbf{g}\mathbf{c}\mathbf{d}\left(\mathit{r},\mathit{n}\right)=\mathbf{1}$.

  (b)

  Compute the ciphertext $\mathit{c}$ as $\mathit{c}={\mathit{g}}^{\mathit{m}}{\mathit{r}}^{\mathit{n}}\mathit{m}\mathit{o}\mathit{d} {\mathit{n}}^{\mathbf{2}}$.

• Decryption

  (a)

  Given ciphertext $\mathit{c}$, confirm $\mathit{c}\in {\mathit{Z}}_{{\mathit{n}}^{\mathbf{2}}}^{\mathit{*}}$.

  (b)

  Derive the message $\mathit{m}$ as $\mathit{m}=\mathit{L}\left({\mathit{c}}^{\mathit{\lambda }}\mathit{m}\mathit{o}\mathit{d} {\mathit{n}}^{\mathbf{2}}\right)·\mathit{\mu } \mathit{m}\mathit{o}\mathit{d} \mathit{n}$.

The Paillier algorithm is distinguished by its capacity for additive and scalar multiplication homomorphic encryption, delineated as follows:

• Addition homomorphism

For ciphertexts ${\mathit{c}}_{\mathbf{1}}$ and ${\mathit{c}}_{\mathbf{2}}$, the encrypted sum is ${\mathit{c}}_{\mathbf{1}}\ast {\mathit{c}}_{\mathbf{2}}={\mathit{E}\mathit{n}\mathit{c}}_{\mathit{p}\mathit{k}}\left({\mathit{m}}_{\mathbf{1}}+{\mathit{m}}_{\mathbf{2}}\right)$, and hence, ${\mathit{D}\mathit{e}\mathit{c}}_{\mathit{p}\mathit{k}}\left({\mathit{c}}_{\mathbf{1}}\ast {\mathit{c}}_{\mathbf{2}}\right)={\mathit{D}\mathit{e}\mathit{c}}_{\mathit{p}\mathit{k}}\left({\mathit{E}\mathit{n}\mathit{c}}_{\mathit{p}\mathit{k}}\left({\mathit{m}}_{\mathbf{1}}+{\mathit{m}}_{\mathbf{2}}\right)\right)={\mathit{m}}_{\mathbf{1}}+{\mathit{m}}_{\mathbf{2}}$

2.

Scalar multiplication homomorphism

For a ciphertext ${\mathit{c}}_{\mathbf{1}}$ and a scalar $\mathit{k}$, the operation ${{\mathit{c}}_{\mathbf{1}}}^{\mathit{k}}={\mathit{E}\mathit{n}\mathit{c}}_{\mathit{p}\mathit{k}}{\left({\mathit{m}}_{\mathbf{1}}\right)}^{\mathit{k}}$ allows for the encrypted product to be decrypted as ${\mathit{D}\mathit{e}\mathit{c}}_{\mathit{p}\mathit{k}}\left({{\mathit{c}}_{\mathbf{1}}}^{\mathit{k}}\right)={\mathit{D}\mathit{e}\mathit{c}}_{\mathit{p}\mathit{k}}\left({\mathit{E}\mathit{n}\mathit{c}}_{\mathit{p}\mathit{k}}{\left({\mathit{m}}_{\mathbf{1}}\right)}^{\mathit{k}}\right)=\mathit{k} \mathit{\ast } {\mathit{m}}_{\mathbf{1}}$

2.3. Paillier-Based Share Conversion Protocol

This protocol facilitates two parties, Alice and Bob, who possess multiplicative shares $\mathit{a},\mathit{b}\in {\mathit{Z}}_{\mathit{n}}$ of a secret, such that $\mathit{x}=\mathit{a}\mathit{b} \mathit{m}\mathit{o}\mathit{d} \mathit{n}$, in securely converting these shares into additive shares $\mathit{\alpha }+\mathit{\beta }=\mathit{x}$. The steps are meticulously designed to maintain confidentiality throughout the process.

• Initial encryption and share transmission

Alice begins by encrypting her share $\mathit{a}$ using her public key, resulting in ${\mathit{c}}_{\mathit{a}}={\mathit{E}\mathit{n}\mathit{c}}_{\mathit{p}\mathit{k}}\left(\mathit{a}\right)$. She then transmits ${\mathit{c}}_{\mathit{a}}$ to Bob.

2.

Bob’s calculation and transmission

Upon receiving ${\mathit{c}}_{\mathit{a}}$, Bob computes ${\mathit{c}}_{\mathit{b}}={{\mathit{c}}_{\mathit{a}}}^{\mathit{b}} \mathbf{\ast } {\mathit{E}\mathit{n}\mathit{c}}_{\mathit{p}\mathit{k}}\left({\mathit{\beta }}^{\mathbf{\prime }}\right)={\mathit{E}\mathit{n}\mathit{c}}_{\mathit{p}\mathit{k}}\left(\mathit{a}\mathit{b}+{\mathit{\beta }}^{\mathbf{\prime }}\right)$, where ${\mathit{\beta }}^{\mathbf{\prime }}{\in }_{\mathit{R}}{\mathit{Z}}_{\mathit{n}}$. Bob deduces his additive share of the secret as $\mathit{\beta }=-{\mathit{\beta }}^{\mathbf{\prime }}$ and forwards ${\mathit{c}}_{\mathit{b}}$ to Alice.

3.

Alice’s decryption and share derivation

Alice, upon receiving ${\mathit{c}}_{\mathit{b}}$, decrypts it to ascertain her additive share of the secret, $\mathit{\alpha }={\mathit{D}\mathit{e}\mathit{c}}_{\mathit{s}\mathit{k}}\left({\mathit{c}}_{\mathit{b}}\right)$.

This protocol effectively enables Alice and Bob to transition from holding multiplicative shares of a secret to possessing additive shares, thereby facilitating various cryptographic operations while preserving the privacy of their inputs.

2.4. SM9 Digital Signature Algorithm: An Overview

The SM9 digital signature algorithm, anchored in the principles of bilinear pairings, delineates a comprehensive procedure for secure digital signing and verification. It unfolds through the following stages:

• System setup

  (a)

  Initialization is performed by inputting safety parameters $\mathit{k}$, two additive cyclic groups ${\mathit{G}}_{\mathbf{1}},$ ${\mathit{G}}_{\mathbf{2}}$ of prime order $\mathit{N}$, and one multiplicative cyclic group ${\mathit{G}}_{\mathit{T}}$ also of prime order $\mathit{N}$, ensuring these groups satisfy a bilinear mapping $\mathit{e}:{\mathit{G}}_{\mathbf{1}}\times {\mathit{G}}_{\mathbf{2}}\to {\mathit{G}}_{\mathit{T}}$. The groups ${\mathit{G}}_{\mathbf{1}},$ ${\mathit{G}}_{\mathbf{2}}$ are defined by their generators ${\mathit{P}}_{\mathbf{1}},{\mathit{P}}_{\mathbf{2}}$, respectively.

  (b)

  Define two hash functions ${\mathit{H}}_{\mathbf{1}}:{\left\{\mathbf{0},\mathbf{1}\right\}}^{\mathit{*}}\to {\mathit{Z}}_{\mathit{N}}^{\mathit{*}},{\mathit{H}}_{\mathbf{2}}:{\left\{\mathbf{0},\mathbf{1}\right\}}^{\mathit{*}}\to {\mathit{Z}}_{\mathit{N}}^{\mathit{*}}$.

  (c)

  The KGC selects a master private key $\mathit{m}\mathit{s}\mathit{k}\in {\mathit{Z}}_{\mathit{N}}^{\mathit{*}}$, computes the master public key $\mathit{m}\mathit{p}\mathit{k}=\mathit{m}\mathit{s}\mathit{k} \mathit{\ast } {\mathit{P}}_{\mathbf{2}}$, and selects a signature private key generation function identifier $\mathrm{h}\mathrm{i}\mathrm{d}$.

  (d)

  KGC broadcasts the public system $\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{a}\mathrm{m}=<{\mathit{G}}_{\mathbf{1}},{\mathit{G}}_{\mathbf{2}},{\mathit{G}}_{\mathit{T}},{\mathit{P}}_{\mathbf{1}},{\mathit{P}}_{\mathbf{2}},\mathit{m}\mathit{p}\mathit{k},\mathit{N},{\mathit{H}}_{\mathbf{1}},{\mathit{H}}_{\mathbf{2}},\mathit{h}\mathit{i}\mathit{d}>$ and securely stores $\mathit{m}\mathit{s}\mathit{k}$.

• User signature private key extraction

  (a)

  KGC computes ${\mathit{t}}_{\mathbf{1}}=({\mathit{H}}_{\mathbf{1}}\left({\mathit{I}\mathit{D}}_{\mathit{A}}|\left|\mathit{h}\mathit{i}\mathit{d},\mathit{N}\right)+\mathit{m}\mathit{s}\mathit{k}\right)\mathit{m}\mathit{o}\mathit{d} \mathit{N}$. If ${\mathit{t}}_{\mathbf{1}}=\mathbf{0}$, KGC retries with a different $\mathit{m}\mathit{s}\mathit{k}$. Otherwise, it proceeds by calculating ${\mathit{t}}_{\mathbf{2}}=\mathit{m}\mathit{s}\mathit{k}\cdot {\mathit{t}}_{\mathbf{1}}^{-\mathbf{1}}\mathit{m}\mathit{o}\mathit{d}\mathit{N}$.

  (b)

  The signature private key $\mathit{d}\mathit{s}={\mathit{t}}_{\mathbf{2}} \mathit{\ast } {\mathit{P}}_{\mathbf{1}}$ is then computed and sent to the user identified by ${\mathit{I}\mathit{D}}_{\mathit{A}}$.

• Digital signature creation

  (a)

  The signer computes $\mathit{g}=\mathit{e}\left({\mathit{P}}_{\mathbf{1}},\mathit{m}\mathit{p}\mathit{k}\right)$.

  (b)

  A random positive integer $\mathit{r}{\in }_{\mathit{R}}{\mathit{Z}}_{\mathit{N}}^{\mathit{*}}$ is selected to compute $\mathit{w}={\mathit{g}}^{\mathit{r}}$.

  (c)

  The hash $\mathit{h}={\mathit{H}}_{\mathbf{2}}\left(\mathit{M}\mathit{s}\mathit{g}\right||\mathit{w},\mathit{N})$.

  (d)

  The signer computes $\mathit{l}=\left(\mathit{r}-\mathit{h}\right)\mathit{m}\mathit{o}\mathit{d}\mathit{N}$. If $\mathit{l}=\mathbf{0}$, $\mathit{r}$ is reselected; otherwise, the signature $\mathit{S}=\mathit{l} \mathit{\ast } \mathit{d}\mathit{s}$ is formed, with $\left(\mathit{h},\mathit{S}\right)$ constituting the digital signature of $\mathit{M}\mathit{s}\mathit{g}$.

• Verification

  (a)

  The verifier, equipped with system parameters, user identification ${\mathrm{I}\mathrm{D}}_{\mathrm{A}}$, message ${\mathit{M}\mathit{s}\mathit{g}}^{\mathrm{\prime }}$, and digital signature $\left({\mathit{h}}^{\mathbf{\prime }},{\mathit{S}}^{\mathbf{\prime }}\right)$, first checks if ${\mathit{h}}^{\mathbf{\prime }}\in {\mathit{Z}}_{\mathit{N}}^{\mathit{*}}$ and ${\mathit{S}}^{\mathbf{\prime }}$ is a point in ${\mathit{G}}_{\mathbf{1}}$.

  (b)

  Calculations are performed to validate the signature: compute $\mathit{t}={\mathit{g}}^{{\mathit{h}}^{\mathbf{\prime }}}$, ${\mathit{h}}_{{\mathit{I}\mathit{D}}_{\mathit{A}}}={\mathit{H}}_{\mathbf{1}}=\left({\mathit{I}\mathit{D}}_{\mathit{A}}\right||\mathit{h}\mathit{i}\mathit{d},\mathit{N})$, $\mathit{P}={\mathit{h}}_{{\mathit{I}\mathit{D}}_{\mathit{A}}}{\mathit{P}}_{\mathbf{2}}+\mathit{m}\mathit{p}\mathit{k}$, and $\mathit{u}=\mathit{e}\left({\mathit{S}}^{\mathbf{\prime }},\mathit{P}\right)$, then $\mathit{w}=\mathit{u} \mathit{\ast } \mathit{t}$.

  (c)

  If ${\mathit{h}}^{\mathbf{\prime }}={\mathit{H}}_{\mathbf{2}}\left({\mathit{M}\mathit{s}\mathit{g}}^{\mathbf{\prime }}\right||\mathit{w},\mathit{N})$, the signature is verified successfully; otherwise, the verification fails.

3. SM9-Based Lightweight Distributed Key Generation Scheme

In this section, we focus on the formal definition of a scheme, the description of a scheme, and scheme security.

3.1. System Model

In the proposed scheme, depicted in Figure 2, we delineate a system comprising the following three pivotal entities: the KGC, Combine Center, and User. These entities are foundational to the architecture, each playing a unique role.

• Key generation center (KGC)

Entrusted with generating segments of both the master public and private keys, the KGC is integral to facilitating secure and distributed cryptographic operations. It operates within a collaborative network of centers in which each can securely produce valid signature private key fragments for users based on their unique identifiers (IDs). This distributed mechanism significantly bolsters the security of the system, mitigating risks associated with centralized key management frameworks and underscoring the central role of the KGC in preserving the integrity and confidentiality of the cryptographic process.

2.

Combine center

Tasked with the critical role of amalgamating signature private key fragments into a singular, valid signature private key, the operations of the Combine Center are marked by precision and stringent security measures to thwart unauthorized access or tampering. Upon successful assembly of the signature private key, it is securely dispatched to the designated user, thereby facilitating the execution of cryptographic operations without imposing the technical complexities of key generation upon the end user.

3.

User

Positioned as the endpoint in our cryptographic narrative, the user, encompassing a broad spectrum of devices within the Internet of Things (IoT) ecosystem, is the beneficiary and operator of the signature private key. This role extends beyond human interaction to include an array of devices by leveraging the secure infrastructure established by the KGC and Combine Center for authenticated and encrypted communications.

3.2. Scheme Definition

This subsection outlines the architecture of the SM9-based lightweight DKG scheme, incorporating advancements from prior studies. Key features include a distributed configuration, private key derivation, and amalgamation processes, detailed as follows.

• Distributed setup ($\mathit{D}\mathit{S}\mathit{e}\mathit{t}\mathit{u}\mathit{p}$)

$$\left({\mathit{m}\mathit{s}\mathit{k}}_{\mathit{i}},{\mathit{m}\mathit{p}\mathit{k}}_{\mathit{i}},{\mathit{s}\mathit{k}}_{\mathit{i}},{\mathit{p}\mathit{k}}_{\mathit{i}}\right)\leftarrow \mathit{D}\mathit{S}\mathit{e}\mathit{t}\mathit{u}\mathit{p}\left(\mathit{t},\mathit{n},\mathit{\varrho }\right)$$

(1)

Given parameters $\mathit{t},\mathit{n}$, and $\mathit{\varrho }$, where $\mathit{t}$ represents the threshold number, $\mathit{n}$ is the number of Key Generation Centers (KGCs), and $\mathit{\varrho }$ denotes the public system parameter, the distributed setup generates:

• ${\mathit{m}\mathit{s}\mathit{k}}_{\mathit{i}}$: The private key slice for ${\mathrm{K}\mathrm{G}\mathrm{C}}_{\mathrm{i}}$,
• ${\mathit{m}\mathit{p}\mathit{k}}_{\mathit{i}}$: The public key fragment for ${\mathrm{K}\mathrm{G}\mathrm{C}}_{\mathrm{i}}$,
• ${\mathit{s}\mathit{k}}_{\mathit{i}},{\mathit{p}\mathit{k}}_{\mathit{i}}$: The Paillier key pair for ${\mathrm{K}\mathrm{G}\mathrm{C}}_{\mathrm{i}}$.

2.

Distributed private key extraction ($\mathit{D}\mathit{E}\mathit{x}\mathit{t}\mathit{r}\mathit{a}\mathit{c}\mathit{t}$)

$$\left({\mathit{d}\mathit{s}}_{\mathit{i}}\right)\leftarrow \mathit{D}\mathit{E}\mathit{x}\mathit{t}\mathit{r}\mathit{a}\mathit{c}\mathit{t}(\mathit{I}\mathit{D},{\mathit{m}\mathit{s}\mathit{k}}_{\mathit{i}})$$

(2)

For a user with identifier $\mathit{I}\mathit{D}$, this process extracts ${\mathit{d}\mathit{s}}_{\mathit{i}}$, representing the user’s private key share from each ${\mathrm{K}\mathrm{G}\mathrm{C}}_{\mathrm{i}}$, utilizing their respective ${\mathit{m}\mathit{s}\mathit{k}}_{\mathit{i}}$.

3.

Combine private key

$$\left(\mathit{d}\mathit{s}\right)\leftarrow \mathit{C}\mathit{o}\mathit{m}\mathit{b}\mathit{i}\mathit{n}\mathit{e}\left({\mathit{d}\mathit{s}}_{\mathit{i}}\right)$$

(3)

The user’s private key, $\mathit{d}\mathit{s}$, is synthesized from the individual shares ${\mathit{d}\mathit{s}}_{\mathit{i}}$, effectively combining them into a singular private key.

3.3. Security Definition and Security Models

Here, we introduce a security framework paralleling the EUF-CMA model for digital signatures, adapted to evaluate the robustness of our scheme under stochastic predicate analysis.

Assumption 1: 

Bilinear Collision Attack Assumption (τ-BCAA1).

$\mathit{\psi }$ is an isomorphism from ${\mathit{G}}_{\mathbf{2}}$ to ${\mathit{G}}_{\mathbf{1}}$ with $\mathit{\psi }\left({\mathit{P}}_{\mathbf{2}}\right)={\mathit{P}}_{\mathbf{1}}$. Positive integer $\mathit{\tau }$ and $\mathit{\alpha }{\in }_{\mathit{R}}{\mathit{Z}}_{\mathit{N}}^{\mathbf{*}},{{\mathit{P}}_{\mathbf{1}}\in {\mathit{G}}_{\mathbf{1}},\mathit{P}}_{\mathbf{2}}\in {\mathit{G}}_{\mathbf{2}},\mathit{e}:{\mathit{G}}_{\mathbf{1}}\times {\mathit{G}}_{\mathbf{2}}\to {\mathit{G}}_{\mathit{T}}$, as we know $\left({\mathit{P}}_{\mathbf{1}},{\mathit{P}}_{\mathbf{2}},\left[\mathit{\alpha }\right]{\mathit{P}}_{\mathbf{2}},{\mathit{h}}_{\mathbf{0}},\left({\mathit{h}}_{\mathbf{1}},\left[{\displaystyle \frac{\mathit{\alpha }}{{\mathit{h}}_{\mathbf{1}}+\mathit{\alpha }}}\right]{\mathit{P}}_{\mathbf{1}}\right),\dots ,\left({\mathit{h}}_{\mathit{\tau }},\left[{\displaystyle \frac{\mathit{\alpha }}{{\mathit{h}}_{\mathit{\tau }}+\mathit{\alpha }}}\right]{\mathit{P}}_{\mathbf{1}}\right)\right)$, where ${\mathit{h}}_{\mathbf{1}}{\in }_{\mathit{R}}{\mathit{Z}}_{\mathit{N}}^{\mathbf{*}}$ and distinct for $\mathbf{0}\le \mathit{i}\le \mathit{\tau }$, computing ${\mathit{e}\left({\mathit{P}}_{\mathbf{1}},{\mathit{P}}_{\mathbf{2}}\right)}^{{\displaystyle \frac{\mathit{\alpha }}{{\mathit{h}}_{\mathbf{0}}+\mathit{\alpha }}}}$ is hard.

Definition 1: 

Existential Unforgeability Against Adaptive Chosen Identity Attacks (EUF-CIA): a distributed key generation scheme is deemed to exhibit existential unforgeability against adaptive chosen identity attacks (EUF-CIA) if, for any polynomial-time adversary, the advantage in succeeding in the defined security trials is negligible.

The security experiment is formalized through a game played by a challenger and an adversary. In the game, the adversary fixes $\left|\mathit{A}\right|\le \mathit{t}-\mathbf{1}$ semi-honest KGCs and the challenger simulates $\left|\mathit{B}\right|=\mathit{n}-\mathit{t}$ honest KGCs.

Security Experiment: 

The robustness of the scheme against EUF-CIA is assessed through a structured game involving a challenger and an adversary, detailed as follows:

Setup Phase: 

The challenger and the adversary collaboratively execute the distributed setup algorithm. By the conclusion of this phase, both parties acquire all master public keys ($\mathit{m}\mathit{p}\mathit{k}$) and their respective private master key slices (${\mathit{m}\mathit{s}\mathit{k}}_{\mathit{i}}$).

Phase 1 (Query Phase): 

The adversary is permitted to adaptively request $\mathit{D}\mathit{E}\mathit{x}\mathit{t}\mathit{r}\mathit{a}\mathit{c}\mathit{t}$ for identities of its choosing. For each query on identity ${\mathit{I}\mathit{D}}_{\mathit{i}}$, the challenger engages in the $\mathit{D}\mathit{E}\mathit{x}\mathit{t}\mathit{r}\mathit{a}\mathit{c}\mathit{t}$ and Combine Private Key processes with the adversary, subsequently providing the adversary with the private key share ${\mathit{d}\mathit{s}}_{\mathit{i}}$.

Forgery Phase: 

The adversary attempts to forge private key shares ${\mathit{d}\mathit{s}}_{\mathit{i}}$ for an identity ID and is considered successful if:

• The combined private key $\mathit{d}\mathit{s}$, derived from ${\mathit{d}\mathit{s}}_{\mathit{i}}$ using the Combine operation, is valid for the identity ID.
• The private key for ID was not previously queried in Phase 1.

The advantage $ϵ$ of winning the game is the probability of returning a valid forged private key.

3.4. Scheme Description

Our enhancement of the SM9 framework focuses on optimizing the digital signature and user-specific private key generation by employing the following innovative design principles.

Lagrange secret sharing is used to generate the master public key fragment $msk$ by all the KGCs in the network so that the master public key $\mathit{m}\mathit{p}\mathit{k}=\mathit{m}\mathit{s}\mathit{k} \mathbf{\ast } {\mathit{P}}_{\mathbf{2}}$ can be calculated.

The SM9 signature private key equation is expanded as follows:

$$\mathit{d}\mathit{s}={\displaystyle \frac{\mathit{m}\mathit{s}\mathit{k}}{\mathit{m}\mathit{s}\mathit{k}+\mathit{h}}}{\mathit{P}}_{\mathbf{1}}={\mathit{P}}_{\mathbf{1}}-{\displaystyle \frac{\mathit{h}}{\mathit{m}\mathit{s}\mathit{k}+\mathit{h}}}{\mathit{P}}_{\mathbf{1}}={\mathit{P}}_{\mathbf{1}}-{\left(\mathit{m}\mathit{s}\mathit{k}+\mathit{h}\right)}^{-\mathbf{1}}\mathit{h}{\mathit{P}}_{\mathbf{1}}$$

(4)

Using the Pallier share transformation protocol, the ${\left(msk+h\right)}^{-1}{P}_{\mathbf{1}}$ can be calculated without revealing the respective secrets generated by the KGC; then, the user’s signature private key can be calculated.

The steps are as follows:

• Distributed setup

  (a)

  ${\mathrm{K}\mathrm{G}\mathrm{C}}_{\mathrm{i}}$ uses the recommended values in the SM9 state secret standard for system parameter generation.

  (b)

  ${\mathrm{K}\mathrm{G}\mathrm{C}}_{\mathrm{i}}$ generates the respective Paillier public-private key pairs ${{(\mathit{p}\mathit{k}}_{\mathit{i}},\mathit{s}\mathit{k}}_{\mathit{i}})$, then broadcasts ${\mathit{p}\mathit{k}}_{\mathit{i}}$.

  (c)

  ${\mathrm{K}\mathrm{G}\mathrm{C}}_{\mathrm{i}}$ selects a random polynomial of degree t − 1, ${\mathit{f}}_{\mathit{i}}\left(\mathit{x}\right)={\sum }_{\mathit{j}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{a}}_{\mathit{i}\mathit{j}} \mathit{\ast } {\mathit{x}}^{\mathit{j}}$, where ${\mathit{a}}_{\mathit{i}\mathbf{0}}$ is the secret share chosen by ${\mathrm{K}\mathrm{G}\mathrm{C}}_{\mathrm{i}}$. It broadcasts ${\mathit{C}}_{\mathit{i}\mathit{j}}={\mathit{a}}_{\mathit{i}\mathit{j}}{\mathit{P}}_{\mathbf{2}},\mathit{i}\in \left[\mathbf{1},\mathit{n}\right]\&\mathit{j}\in \left[\mathbf{1},\mathit{t}-\mathbf{1}\right]$.

  (d)

  ${\mathrm{K}\mathrm{G}\mathrm{C}}_{\mathrm{i}}$ calculates ${\mathit{f}}_{\mathit{i}}\left({\mathit{x}}_{\mathit{j}}\right)$, where ${\mathit{x}}_{\mathit{j}}$ is the secure hash value of ${\mathrm{K}\mathrm{G}\mathrm{C}}_{\mathrm{j}}$’s identity. It secretly sends the calculation result ${\mathit{f}}_{\mathit{i}}\left({\mathit{x}}_{\mathit{j}}\right)$ to ${\mathrm{K}\mathrm{G}\mathrm{C}}_{\mathrm{j}}$.

  (e)

  After receiving ${\mathit{f}}_{\mathit{j}}\left({\mathit{x}}_{\mathit{I}}\right)$ from ${\mathrm{K}\mathrm{G}\mathrm{C}}_{\mathrm{j}}$, ${\mathrm{K}\mathrm{G}\mathrm{C}}_{\mathrm{i}}$ verifies that ${\sum }_{\mathit{j}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{C}}_{\mathit{i}\mathit{j}} \mathit{\ast } {\mathit{x}}_{\mathit{i}}^{\mathit{j}}={\mathit{f}}_{\mathit{j}}\left({\mathit{x}}_{\mathit{i}}\right)\ast {\mathit{P}}_{\mathbf{2}}$. If the verification passes, it indicates that ${\mathrm{K}\mathrm{G}\mathrm{C}}_{\mathrm{j}}$ has not cheated and moves to the next step.

  (f)

  All ${\mathrm{K}\mathrm{G}\mathrm{C}}_{\mathrm{i}}$ can calculate the master public key $\mathit{m}\mathit{p}\mathit{k}={\sum }_{\mathit{i}=\mathbf{1}}^{\mathit{n}}{\mathit{C}}_{\mathit{i}\mathbf{0}}={\sum }_{\mathit{i}=\mathbf{1}}^{\mathit{n}}{\mathit{a}}_{\mathit{i}\mathbf{0}}{\mathit{P}}_{\mathbf{2}}$.

• Distributed private key extract

  (a)

  ${\mathrm{K}\mathrm{G}\mathrm{C}}_{\mathrm{i}}$ calculates the main private key shard, a t-threshold private key share ${\mathit{k}}_{\mathit{i}}={\sum }_{\mathit{i}=\mathbf{1}}^{\mathit{n}}{\mathit{f}}_{\mathit{j}}\left({\mathit{x}}_{\mathit{i}}\right)$.

  (b)

  ${\mathrm{K}\mathrm{G}\mathrm{C}}_{\mathrm{i}}$ calculates the hash value of user identity $\mathit{h}={\mathit{H}}_{\mathbf{1}}\left({\mathit{I}\mathit{D}}_{\mathit{A}}\right||\mathit{h}\mathit{i}\mathit{d},\mathit{N})$.

  (c)

  ${\mathrm{K}\mathrm{G}\mathrm{C}}_{\mathrm{i}}$ randomly chooses ${\mathit{\gamma }}_{\mathit{j}}{\in }_{\mathit{R}}{\mathit{Z}}_{\mathit{N}}^{\mathit{*}}$ and invokes the Paillier share conversion protocol to calculate:

  (d)

  ${\mathit{k}}^{-\mathbf{1}}\mathit{h}{\mathit{P}}_{\mathbf{1}}={\left({\sum }_{\mathit{i}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{k}}_{\mathit{i}}^{\mathbf{\prime }}{\sum }_{\mathit{j}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{\gamma }}_{\mathit{j}}\right)}^{-\mathbf{1}}{\sum }_{\mathit{j}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{\gamma }}_{\mathit{j}}\mathit{h}{\mathit{P}}_{\mathbf{1}}={(\sum _{\mathit{i}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{\delta }}_{\mathit{i}})}^{-\mathbf{1}}\sum _{\mathit{j}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{\gamma }}_{\mathit{j}}\mathit{h}{\mathit{P}}_{\mathbf{1}}$, where the denominator part of the user signature private key $\mathit{k}={\sum }_{\mathit{i}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{k}}_{\mathit{i}}^{\mathbf{\prime }}={\sum }_{\mathit{i}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}({\mathit{\lambda }}_{\mathit{i}}{\mathit{k}}_{\mathit{i}}+{\displaystyle \frac{\mathit{h}}{\mathit{t}}})={\sum }_{\mathit{i}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{a}}_{\mathit{i}\mathbf{0}}+\mathit{h}=\mathit{m}\mathit{s}\mathit{k}+\mathit{h}.$

  (e)

  Lagrange coefficient ${\mathit{\lambda }}_{\mathit{i}}={\mathbf{\prod }}_{\mathit{j}=\mathbf{0}\cap \mathit{j}\ne \mathit{i}}^{\mathit{t}-\mathbf{1}}{\displaystyle \frac{{\mathit{H}}_{\mathbf{1}}\left({\mathit{I}\mathit{D}}_{\mathit{j}}\right)}{{\mathit{H}}_{\mathbf{1}}\left({\mathit{I}\mathit{D}}_{\mathit{j}}\right)-{\mathit{H}}_{\mathbf{1}}\left({\mathit{I}\mathit{D}}_{\mathit{i}}\right)}}$.

  (f)

  ${\mathit{\delta }}_{\mathit{i}}$ is the additive share of ${\sum }_{\mathit{i}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{k}}_{\mathit{i}}^{\mathbf{\prime }}{\sum }_{\mathit{i}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{\gamma }}_{\mathit{j}},{\mathit{\delta }}_{\mathit{i}}={\mathit{k}}_{\mathit{i}}^{\mathbf{\prime }}{\mathit{\gamma }}_{\mathit{i}}+{\sum }_{\mathit{j}=\mathbf{0}\cap \mathit{j}\ne \mathit{i}}^{\mathit{t}-\mathbf{1}}{\mathit{\alpha }}_{\mathit{i}\mathit{j}}+{\sum }_{\mathit{j}=\mathbf{0}\cap \mathit{j}\ne \mathit{i}}^{\mathit{t}-\mathbf{1}}{\mathit{\beta }}_{\mathit{i}\mathit{j}}$, ${\mathit{k}}_{\mathit{i}}^{\mathbf{\prime }}{\mathit{\gamma }}_{\mathit{j}}={\mathit{\alpha }}_{\mathit{i}\mathit{j}}+{\mathit{\beta }}_{\mathit{j}\mathit{i}}$

  (g)

  ${\mathrm{K}\mathrm{G}\mathrm{C}}_{\mathrm{i}}$ broadcasts ${\mathit{\delta }}_{\mathit{i}}$ and computes ${\mathit{d}\mathit{s}}_{\mathit{i}}={(\sum _{\mathit{i}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{\delta }}_{\mathit{i}})}^{-\mathbf{1}}{\mathit{\gamma }}_{\mathit{i}}\mathit{h}{\mathit{P}}_{\mathbf{1}}$

  (h)

  ${\mathrm{K}\mathrm{G}\mathrm{C}}_{\mathrm{i}}$ sends ${\mathit{d}\mathit{s}}_{\mathit{i}}$ to Combine Center.

• Combine private key

  (a)

  Combine Center computes user private key $\mathit{d}\mathit{s}={\mathit{P}}_{\mathbf{1}}-\sum _{\mathit{i}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{d}\mathit{s}}_{\mathit{i}}={\mathit{P}}_{\mathbf{1}}-{\left(\sum _{\mathit{i}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{\delta }}_{\mathit{i}}\right)}^{-\mathbf{1}}\sum _{\mathit{i}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{\gamma }}_{\mathit{i}}\mathit{h}{\mathit{P}}_{\mathbf{1}}={\mathit{P}}_{\mathbf{1}}-{\mathit{k}}^{-\mathbf{1}}\mathit{h}{\mathit{P}}_{\mathbf{1}}={\mathit{P}}_{\mathbf{1}}-{\left(\mathit{m}\mathit{s}\mathit{k}+\mathit{h}\right)}^{-\mathbf{1}}\mathit{h}{\mathit{P}}_{\mathbf{1}}$.

3.5. Paillier Homomorphic Share Transformation Protocol Optimization

In the existing homomorphic share transformation protocol, two entities, Alice and Bob, possess multiplicative shares that collectively satisfy the equation $\mathrm{x}=\mathrm{a}\mathrm{b} \mathrm{m}\mathrm{o}\mathrm{d} \mathrm{n}$. This protocol can help Alice and Bob realize that they hold additive share secret $\mathit{\alpha } \mathrm{a}\mathrm{n}\mathrm{d} \mathit{\beta },$ respectively, satisfying $\mathit{\alpha }+\mathit{\beta }=\mathit{x}$.

The number of secret random numbers that any two participants require to perform a share transformation in our scheme is two. Assuming that the secret random numbers of Alice and Bob are ${\mathit{a}}_{\mathbf{1}},{\mathit{a}}_{\mathbf{2}} \mathrm{a}\mathrm{n}\mathrm{d} {\mathit{b}}_{\mathbf{1}},{\mathit{b}}_{\mathbf{2}}$, respectively, the final state that must be achieved is $\mathit{\alpha }+\mathit{\beta }={\mathit{a}}_{\mathbf{1}}{\mathit{b}}_{\mathbf{2}}+{\mathit{a}}_{\mathbf{2}}{\mathit{b}}_{\mathbf{1}}$. In our scheme, this refers to the principle that “${\mathit{\alpha }}_{\mathit{i}\mathit{j}}+{\mathit{\beta }}_{\mathit{j}\mathit{i}}={\mathit{k}}_{\mathit{i}}^{\mathbf{\prime }}{\mathit{\gamma }}_{\mathit{j}}+{\mathit{k}}_{\mathit{j}}^{\mathbf{\prime }}{\mathit{\gamma }}_{\mathit{i}}$.” This signifies a specific operational relationship or mathematical model integral to the proposed scheme, which can be achieved if the previous homomorphic share transformation protocol is directly invoked twice, but it is not efficient. The reason is that two homomorphic encryption operations, one homomorphic decryption operation, and two rounds of communication are required to call this protocol once. If n participants must perform two–two secret random number share transformation, then for a total of 2n(n $-$ 1) homomorphic encryption operations, n(n $-$ 1) decryption operations, and 2n(n $-$ 1) rounds of communication, the optimization scheme is specified using the following steps.

• Alice computes ${\mathit{A}}_{\mathbf{1}}={\mathit{a}}_{\mathbf{1}}+{\mathit{a}}_{\mathbf{2}},{\mathit{A}}_{\mathbf{2}}={\mathit{a}}_{\mathbf{1}}-{\mathit{a}}_{\mathbf{2}},{\mathit{c}}_{\mathbf{1}}={\mathit{E}\mathit{n}\mathit{c}}_{\mathit{p}\mathit{k}}\left({\mathit{A}}_{\mathbf{2}}\right)$, then sends ${\mathit{c}}_{\mathbf{1}},{\mathit{A}}_{\mathbf{2}}$ to Bob ($\mathrm{w}\mathrm{h}\mathrm{e}\mathrm{r}\mathrm{e} {\mathit{A}}_{\mathbf{2}}$ denote the sum of two random numbers and does not reveal the specific value of the random number).
• Bob computes ${\mathit{B}}_{\mathbf{1}}={\mathit{b}}_{\mathbf{1}}+{\mathit{b}}_{\mathbf{2}},{\mathit{B}}_{\mathbf{2}}={\mathit{b}}_{\mathbf{1}}-{\mathit{b}}_{\mathbf{2}},{\mathit{c}}_{\mathbf{2}}={{\mathit{c}}_{\mathbf{1}}}^{{\mathit{B}}_{\mathbf{2}}}\mathit{\ast }{\mathit{E}\mathit{n}\mathit{c}}_{\mathit{p}\mathit{k}}\left(\mathit{r}\right)={\mathit{E}\mathit{n}\mathit{c}}_{\mathit{p}\mathit{k}}\left({\mathit{A}}_{\mathbf{2}}{\mathit{B}}_{\mathbf{2}}+\mathit{r}\right),\mathit{r}{\in }_{\mathit{R}}{\mathit{Z}}_{\mathit{n}}$, $\mathit{D}={\mathit{A}}_{\mathbf{1}}{\mathit{B}}_{\mathbf{1}}$. Bob computes the additive share secret as $\mathit{\beta }=-{\displaystyle \frac{\mathit{r}+\mathit{D}}{\mathbf{2}}}$ and sends ${\mathit{c}}_{\mathbf{2}}$ to Alice.
• Alice decrypts ${\mathit{c}}_{\mathbf{2}}$ and computes Alice’s secret share $\mathit{\alpha }=-{\displaystyle \frac{\mathit{D}\mathit{e}\mathit{c}\left({\mathit{c}}_{\mathbf{2}}\right)}{\mathbf{2}}}=-{\displaystyle \frac{{\mathit{A}}_{\mathbf{2}}{\mathit{B}}_{\mathbf{2}}+\mathit{r}}{\mathbf{2}}}$.

Correctness Proof: 

$$\begin{array}{c} \mathit{\alpha }+\mathit{\beta }\hfill \\ =-{\displaystyle \frac{{\mathit{A}}_{\mathbf{2}}{\mathit{B}}_{\mathbf{2}}+\mathit{r}}{\mathbf{2}}}+{\displaystyle \frac{\mathit{r}+\mathit{D}}{\mathbf{2}}}\hfill \\ =-{\displaystyle \frac{{\mathit{A}}_{\mathbf{2}}{\mathit{B}}_{\mathbf{2}}+\mathit{r}}{\mathbf{2}}}+{\displaystyle \frac{{\mathit{A}}_{\mathbf{1}}{\mathit{B}}_{\mathbf{1}}+\mathit{r}}{\mathbf{2}}}\hfill \\ ={\displaystyle \frac{{\mathit{A}}_{\mathbf{1}}{\mathit{B}}_{\mathbf{1}}-{\mathit{A}}_{\mathbf{2}}{\mathit{B}}_{\mathbf{2}}}{\mathbf{2}}}\hfill \\ ={\displaystyle \frac{\left({\mathit{a}}_{\mathbf{1}}+{\mathit{a}}_{\mathbf{2}}\right)\left({\mathit{b}}_{\mathbf{1}}+{\mathit{b}}_{\mathbf{2}}\right)-\left({\mathit{a}}_{\mathbf{1}}-{\mathit{a}}_{\mathbf{2}}\right)\left({\mathit{b}}_{\mathbf{1}}-{\mathit{b}}_{\mathbf{2}}\right)}{\mathbf{2}}}\hfill \\ ={\mathit{a}}_{\mathbf{1}}{\mathit{b}}_{\mathbf{2}}+{\mathit{a}}_{\mathbf{2}}{\mathit{b}}_{\mathbf{1}}\hfill \end{array}$$

(5)

□

Implementing the above protocol involves only $\mathit{n}\left(\mathit{n}-\mathbf{1}\right)$ homomorphic encryption operations, ${\displaystyle \frac{\mathit{n}\left(\mathit{n}-\mathbf{1}\right)}{\mathbf{2}}}$ decryption operations, and $\mathit{n}\left(\mathit{n}-\mathbf{1}\right)$ rounds of communication. By incorporating the finite-domain addition and division (which can also be achieved by the inverse of multiplication) computations at a lower cost, the cost is reduced significantly.

3.6. Scheme Correctness

The correctness of our scheme can be proved as follows:

$$\begin{array}{c} \mathit{d}\mathit{s}={\mathit{P}}_{\mathbf{1}}-{\sum }_{\mathit{i}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{d}\mathit{s}}_{\mathit{i}}\hfill \\ ={\mathit{P}}_{\mathbf{1}}-{\left({\sum }_{\mathit{i}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{\delta }}_{\mathit{i}}\right)}^{-\mathbf{1}}{\sum }_{\mathit{i}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{\gamma }}_{\mathit{i}}\mathit{h}{\mathit{P}}_{\mathbf{1}}\hfill \\ ={\mathit{P}}_{\mathbf{1}}-{\left({\sum }_{\mathit{i}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{{\mathit{k}}^{\mathbf{\prime }}}_{\mathit{i}}{\mathit{\gamma }}_{\mathit{i}}+{\sum }_{\mathit{i}\ne \mathit{j}}{\mathit{\alpha }}_{\mathit{i}\mathit{j}}+{\sum }_{\mathit{i}\ne \mathit{j}}{\mathit{\beta }}_{\mathit{i}\mathit{j}}\right)}^{-\mathbf{1}}{\sum }_{\mathit{i}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{\gamma }}_{\mathit{i}}\mathit{h}{\mathit{P}}_{\mathbf{1}}\hfill \\ ={\mathit{P}}_{\mathbf{1}}-{\left({\sum }_{\mathit{i}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{{\mathit{k}}^{\mathbf{\prime }}}_{\mathit{i}}{\sum }_{\mathit{j}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{\gamma }}_{\mathit{j}}\right)}^{-\mathbf{1}}{\sum }_{\mathit{i}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{\gamma }}_{\mathit{i}}\mathit{h}{\mathit{P}}_{\mathbf{1}}\hfill \\ \mathbf{=}{\mathit{P}}_{\mathbf{1}}-{\left({\sum }_{\mathit{i}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{{\mathit{k}}^{\mathbf{\prime }}}_{\mathit{i}}\right)}^{-\mathbf{1}}\mathit{h}{\mathit{P}}_{\mathbf{1}}\hfill \\ ={\mathit{P}}_{\mathbf{1}}-{\left({\sum }_{\mathit{i}=\mathbf{0}}^{\mathit{t}-\mathbf{1}}{\mathit{\lambda }}_{\mathit{i}}{\mathit{k}}_{\mathit{i}}+{\displaystyle \frac{\mathit{h}}{\mathit{t}}}\right)}^{-\mathbf{1}}\mathit{h}{\mathit{P}}_{\mathbf{1}}\hfill \\ ={\mathit{P}}_{\mathbf{1}}-{\mathit{k}}^{-\mathbf{1}}\mathit{h}{\mathit{P}}_{\mathbf{1}}\hfill \\ ={\mathit{P}}_{\mathbf{1}}-{\left(\mathit{m}\mathit{s}\mathit{k}+\mathit{h}\right)}^{-\mathbf{1}}\mathit{h}{\mathit{P}}_{\mathbf{1}}\hfill \\ ={\displaystyle \frac{\mathit{m}\mathit{s}\mathit{k}}{\mathit{m}\mathit{s}\mathit{k}+\mathit{h}}}{\mathit{P}}_{\mathbf{1}}\hfill \end{array}$$

(6)

3.7. Security Analysis

In the absence of the master private key ($\mathit{m}\mathit{s}\mathit{k}$), the challenger can forge a legitimate user signature private key ($\mathit{d}\mathit{s}$) for the user ID in polynomial time, which is negligible in probability.

Theorem 1. 

Supposing a random oracle, if the τ-BCAA1 assumption is hard, then our scheme is secure in the EUF-CIA model.

Proof: 

If there exists an adversary $\mathit{A}$ that wins the EUF-CIA model under our distributed SM9 signature private key generation algorithm with advantage $\mathsf{ϵ} \mathrm{a}\mathrm{n}\mathrm{d} \mathit{A}$ performs at most ${\mathit{q}}_{\mathit{E}}>\mathbf{0}$ distributed extract query and ${\mathit{q}}_{\mathit{H}}>\mathbf{0} {\mathit{H}}_{\mathbf{1}}$ query, then we can construct a simulator $\mathit{S}$ to solve the τ-BCAA1 problem with advantage ${\displaystyle \frac{\mathit{ϵ}}{\mathit{e}{\mathit{q}}_{\mathit{H}}}}$. $\mathit{S}$ simulates honest KGCs and Combine Center based on τ-BCAA1 assumption instance. To make this security certificate more representative, we assume that the semi-honest $\mathrm{K}\mathrm{G}\mathrm{C}\mathrm{s}$ number fixed by an adversary is $\left|\mathit{A}\right|=\mathit{t}-\mathbf{1}$ and S simulates only one $\mathrm{K}\mathrm{G}\mathrm{C}$.

• Setup
  $\mathit{S}$ and A co-run the distributed setup algorithm

  (a)

  $S$ and $\mathit{A}$ obtain the generators ${\mathit{P}}_{\mathbf{1}},{\mathit{P}}_{\mathbf{2}}$ of the cyclic group ${\mathit{G}}_{\mathbf{1}},{\mathit{G}}_{\mathbf{2}}$ of the system parameters and Paillier key pair $\left({\mathit{p}\mathit{k}}_{\mathit{i}},{\mathit{s}\mathit{k}}_{\mathit{I}}\right)$, respectively.

  (b)

  $\mathit{A}$ adaptively randomly chooses ${\mathit{s}}_{\mathit{i}}{\in }_{\mathit{R}}{\mathit{Z}}_{\mathit{N}}^{\mathit{*}}$ as ${\mathit{m}\mathit{s}\mathit{k}}_{\mathit{I}}$, $\mathit{i}\in \mathit{A}$, sends ${\mathit{f}}_{\mathit{i}}\left({\mathit{x}}_{\mathit{j}}\right)$ to corresponding KGCs and broadcast commits ${\mathit{C}}_{\mathit{I},\mathit{j}}$, which ${\mathit{C}}_{\mathit{I},\mathbf{0}}={\mathit{m}\mathit{p}\mathit{k}}_{\mathit{i}}$.

  (c)

  $\mathit{S}$ simulates KGC, computes ${\mathit{m}\mathit{p}\mathit{k}}_{\mathit{S}}=\left[\mathit{\alpha }\right]{\mathit{P}}_{\mathbf{2}}-\sum {\mathit{C}}_{\mathit{i}\mathbf{0}}={\mathit{C}}_{\mathit{S},\mathbf{0}}$ as master public key share, then randomly chooses ${\mathit{r}}_{\mathit{j}}{\in }_{\mathit{R}}{\mathit{Z}}_{\mathit{N}}^{\mathit{*}}\left(\mathit{j}\in \left[\mathbf{1},\mathit{t}-\mathbf{1}\right]\right)$ and sends ${\mathit{r}}_{\mathit{j}}$ to ${\mathrm{K}\mathrm{G}\mathrm{C}}_{\mathrm{i}}\left(\mathit{i}\in \mathit{A}\right)$.

  (d)

  $\mathit{S}$ simulates coefficients commits,

  $$\left[\begin{array}{ccc}{\mathit{x}}_{\mathbf{1}}^{\mathbf{1}} {\mathit{x}}_{\mathbf{1}}^{\mathbf{2}}& \cdots & {\mathit{x}}_{\mathbf{1}}^{\mathit{t}-\mathbf{1}}\\ {\mathit{x}}_{\mathbf{2}}^{\mathbf{1}} {\mathit{x}}_{\mathbf{2}}^{\mathbf{2}}& & {\mathit{x}}_{\mathbf{2}}^{\mathit{t}-\mathbf{1}}\\ ⋮& \ddots & ⋮\\ {\mathit{x}}_{\mathit{t}-\mathbf{1}}^{\mathbf{1}} {\mathit{x}}_{\mathit{t}-\mathbf{1}}^{\mathbf{2}}& \cdots & {\mathit{x}}_{\mathit{t}-\mathbf{1}}^{\mathit{t}-\mathbf{1}}\end{array}\right]\left[\begin{array}{c}{\mathit{C}}_{\mathit{S},\mathbf{1}}\\ {\mathit{C}}_{\mathit{s},\mathbf{2}}\\ ⋮\\ {\mathit{C}}_{\mathit{s},\mathit{t}-\mathbf{1}}\end{array}\right]=\left[\begin{array}{c}{\mathit{r}}_{\mathbf{1}}\mathit{\ast }{\mathit{P}}_{\mathbf{2}}-{\mathit{m}\mathit{p}\mathit{k}}_{\mathit{S}}\\ {\mathit{r}}_{\mathbf{2}}\mathit{\ast }{\mathit{P}}_{\mathbf{2}}-{\mathit{m}\mathit{p}\mathit{k}}_{\mathit{S}}\\ ⋮\\ {\mathit{r}}_{\mathit{t}-\mathbf{1}}\mathit{\ast }{\mathit{P}}_{\mathbf{2}}-{\mathit{m}\mathit{p}\mathit{k}}_{\mathit{S}}\end{array}\right]$$

  The matrix in the above equation is a Vandermonde matrix. Obviously the determinant is not equal to 0, and the elliptic curve points are capable of addition, subtraction and number multiplication operations, so that ${\mathit{C}}_{\mathit{S},\mathit{i}}\left(\mathit{i}\in \left[\mathbf{1},\mathit{t}-\mathbf{1}\right]\right)$ can be found by the above equation, S broadcasts ${\mathit{C}}_{\mathit{S},\mathit{i}}$ to open Feldman Commit.

  (e)

  adversary can compute $\mathit{m}\mathit{p}\mathit{k}=\sum {\mathit{C}}_{\mathit{i},\mathbf{0}}=\left[\mathit{\alpha }\right]{\mathit{P}}_{\mathbf{2}}$.

• ${\mathit{H}}_{\mathbf{1}}$ query

  (a)

  $\mathit{S}$ maintains a list ${{\mathit{H}}_{\mathbf{1}}}^{\mathit{l}\mathit{i}\mathit{s}\mathit{t}}$ of tuples (${\mathit{I}\mathit{D}}_{\mathit{I}},{\mathit{y}}_{\mathit{I}},{\mathit{D}}_{\mathit{i}})$ as explained below. When $\mathit{A}$ makes ${\mathit{H}}_{\mathbf{1}}$ query on ${\mathit{I}\mathit{D}}_{\mathit{I}}$ that are adaptively chosen by itself, $\mathit{S}$ responds as follows:

  (b)

  If ${\mathit{I}\mathit{D}}_{\mathit{I}}$ is on the list ${{\mathit{H}}_{\mathbf{1}}}^{\mathit{l}\mathit{i}\mathit{s}\mathit{t}}$ of tuples (${\mathit{I}\mathit{D}}_{\mathit{I}},{\mathit{y}}_{\mathit{I}},{\mathit{D}}_{\mathit{i}})$, S responds with ${\mathit{H}}_{\mathbf{1}}\left({\mathit{I}\mathit{D}}_{\mathit{i}}\right)={\mathit{y}}_{\mathit{i}}$. Otherwise, if the query is on the I-th distinct $\mathit{I}\mathit{D}$, then $\mathit{S}$ stores (${\mathit{I}\mathit{D}}_{\mathit{I}},{\mathit{h}}_{\mathbf{0}},\perp )$.

  (c)

  Otherwise, $\mathit{S}$ selects a random integer ${\mathit{h}}_{\mathbf{i}}\left(\mathbf{0}<\mathbf{i}\le \mathsf{\tau }\right)$ from the τ-BCAA1 instance and the instance has been not been chosen by S, then S stores tuple (${\mathit{I}\mathit{D}}_{\mathit{I}},{\mathit{h}}_{\mathit{I}},[{\displaystyle \frac{\mathit{\alpha }}{{\mathit{h}}_{\mathit{i}}+\mathit{\alpha }}}]{\mathit{P}}_{\mathbf{1}})$ and responds with ${\mathit{H}}_{\mathbf{1}}\left({\mathit{I}\mathit{D}}_{\mathit{i}}\right)={\mathit{h}}_{\mathit{i}}$.

• Distributed private key extract query

  (a)

  A runs Distributed Private Key Extract algorithms and Combine Private Key algorithms with $\mathit{S},\mathit{S}$ selects a random integer ${\mathit{k}}_{\mathit{S}}{\in }_{\mathit{R}}{\mathit{Z}}_{\mathit{N}}^{\mathit{*}}$ as t threshold-private key share.

  (b)

  A makes private key extract queries on identities ${\mathit{I}\mathit{D}}_{\mathit{I}}$ that are adaptively chosen, S responds as follows:

  (c)

  If $\mathit{i}=\mathit{I}$, then S aborts the game. Otherwise, if $\mathit{i}\ne \mathit{I}$, then there is a tuple $({\mathit{I}\mathit{D}}_{\mathit{I}},{\mathit{h}}_{\mathit{I}},[{\displaystyle \frac{\mathit{\alpha }}{{\mathit{h}}_{\mathit{i}}+\mathit{\alpha }}}]{\mathit{P}}_{\mathbf{1}})$, S responds with ${\mathit{d}\mathit{s}}_{\mathit{S}}$ where ${\mathit{d}\mathit{s}}_{\mathit{S}}={\mathit{P}}_{\mathbf{1}}-\sum {\mathit{d}\mathit{s}}_{\mathit{i}\in \mathit{A}}-\left[{\displaystyle \frac{\mathit{\alpha }}{{\mathit{h}}_{\mathit{i}}+\mathit{\alpha }}}\right]{\mathit{P}}_{\mathbf{1}}$.

• Forgery

$A$ outputs forged distributed private key shares ${\mathit{d}\mathit{s}}_{\mathit{i}\in \left[\mathbf{0},\mathit{t}-\mathbf{1}\right]}$ on ${\mathit{I}\mathit{D}}_{\mathit{i}}$. If $\mathit{i}\ne \mathit{I}$, then S aborts the game. Otherwise, if $\mathit{i}=\mathit{I}$, S computes $\mathit{d}\mathit{s}={\mathit{P}}_{\mathbf{1}}-\sum {\mathit{d}\mathit{s}}_{\mathit{i}\in \left[\mathbf{0},\mathit{t}-\mathbf{1}\right]}$ and outputs $\mathit{e}\left(\mathit{d}\mathit{s},{\mathit{P}}_{\mathbf{2}}\right)$ as a solution of τ-BCAA1 instance. □

Claim 1. 

If S does not abort during the simulation, then algorithm A’s view is identical to its view in real attack.

Proof: 

S’s responses to ${\mathit{H}}_{\mathbf{1}}$ queries are random selections of the τ-BCAA1 instance. S’s responses to distributed private key queries are valid private key shares of $\mathit{I}\mathit{D}$ which are adaptively chosen by A. Those responses are uniformly independently distributed as in a real attack. □

Claim 2. 

If the advantage $ϵ$ of winning the game is the probability of returning valid forged private key shares ${\mathit{d}\mathit{s}}_{\mathit{i}\in \left[\mathbf{0},\mathit{t}-\mathbf{1}\right]}$, then S is able to solve τ-BCAA1 problem with advantage ${\displaystyle \frac{\mathit{ϵ}}{\mathit{e}{\mathit{q}}_{\mathit{H}}}}$.

Proof: 

The success of S in resolving τ-BCAA1 problem is determined by the following three events:

Event1: S does not abort during the Distributed Private Key Extract query.

Event2: A forges valid private key shares ${\mathit{d}\mathit{s}}_{\mathit{i}\in \left[\mathbf{0},\mathit{t}-\mathbf{1}\right]}$ on $\mathit{I}\mathit{D}$.

Event3: Event2 occurs and index of the tuple ${(\mathit{I}\mathit{D}}_{\mathit{i}},{\mathit{y}}_{\mathit{i}},{\mathit{D}}_{\mathit{i}})$ corresponding to the $\mathit{I}\mathit{D}$ is $\mathit{i}=\mathit{I}$.

$\mathbf{Pr}\left[\mathit{E}\mathit{v}\mathit{e}\mathit{n}\mathit{t}\mathbf{1}\right]$ = ${\left(\mathbf{1}-{\displaystyle \frac{\mathbf{1}}{{\mathit{q}}_{\mathit{E}}}}\right)}^{{\mathit{q}}_{\mathit{E}}}$,

$\mathbf{Pr}\left[\mathit{E}\mathit{v}\mathit{e}\mathit{n}\mathit{t}\mathbf{2}|\mathit{E}\mathit{v}\mathit{e}\mathit{n}\mathit{t}\mathbf{1}\right]$ = $\mathit{ϵ}$

$\mathbf{Pr}\left[\mathit{E}\mathit{v}\mathit{e}\mathit{n}\mathit{t}3|\mathit{E}\mathit{v}\mathit{e}\mathit{n}\mathit{t}\mathbf{1}\wedge \mathit{E}\mathit{v}\mathit{e}\mathit{n}\mathit{t}\mathbf{2}\right]$ = ${\displaystyle \frac{\mathbf{1}}{{\mathit{q}}_{\mathit{H}}}}$

Thus, the advantage of S in solving τ-BCAA1 problem is as follows:

$$\begin{array}{cc}\hfill {\mathit{A}\mathit{d}\mathit{v}}_{\mathit{S}}^{\mathit{\tau }-\mathit{B}\mathit{C}\mathit{A}\mathit{A}\mathbf{1}}& =\mathit{P}\mathit{r}\left[\mathit{E}\mathit{v}\mathit{e}\mathit{n}\mathit{t}\mathbf{1}\wedge \mathit{E}\mathit{v}\mathit{e}\mathit{n}\mathit{t}3\right]\hfill \\ & =\mathit{P}\mathit{r}\left[\mathit{E}\mathit{v}\mathit{e}\mathit{n}\mathit{t}\mathbf{1}\right]\mathit{P}\mathit{r}\left[\mathit{E}\mathit{v}\mathit{e}\mathit{n}\mathit{t}\mathbf{2}|\mathit{E}\mathit{v}\mathit{e}\mathit{n}\mathit{t}\mathbf{1}\right]\mathit{P}\mathit{r}\left[\mathit{E}\mathit{v}\mathit{e}\mathit{n}\mathit{t}3|\mathit{E}\mathit{v}\mathit{e}\mathit{n}\mathit{t}\mathbf{1}\wedge \mathit{E}\mathit{v}\mathit{e}\mathit{n}\mathit{t}\mathbf{2}\right]\hfill \\ & ={\left(\mathbf{1}-{\displaystyle \frac{\mathbf{1}}{{\mathit{q}}_{\mathit{E}}}}\right)}^{{\mathit{q}}_{\mathit{E}}}{\displaystyle \frac{\mathbf{1}}{{\mathit{q}}_{\mathit{H}}}}\mathit{ϵ}\approx {\displaystyle \frac{\mathit{ϵ}}{\mathit{e}{\mathit{q}}_{\mathit{H}}}}\hfill \end{array}$$

□

4. Performance Evaluation

4.1. Theoretical Analysis

Our scheme enhances the original homomorphic share transformation protocol, with a focus on achieving substantial improvements in computational and communication efficiency. The following table shows the main system cost after invoking various share transformation protocols when t KGCs perform DKG.

The original scheme in

Table 2. Comparison of system cost.

Scheme	Storage Space (bits)	Computational Time	Communication Rounds
Original scheme	$$\begin{gathered} \left(2{\mathit{t}}^2-2\mathit{t}\right)1028 bits \\ +\left(2{\mathit{t}}^2-\mathit{t}\right)256 bits \end{gathered}$$	$$\begin{gathered} {\mathit{t}}^2{\mathit{T}}_{\mathit{E}\mathit{n}\mathit{c}}+\left({\mathit{t}}^2-\mathit{t}\right){\mathit{T}}_{\mathit{D}\mathit{e}\mathit{c}} \\ +\left({\mathit{t}}^2-\mathit{t}\right){\mathit{T}}_{\mathit{H}\mathit{o}\mathit{m}\mathit{A}\mathit{d}\mathit{d}} \\ +\left({\mathit{t}}^2-\mathit{t}\right){\mathit{T}}_{\mathit{H}\mathit{o}\mathit{m}\mathit{M}\mathit{u}\mathit{l}} \end{gathered}$$	${\mathit{t}}^2-\mathit{t}$
Improvement scheme	$$\begin{gathered} {\displaystyle \frac{{2\mathit{t}}^2+\mathit{t}}{2}}1028 bits \\ +2{\mathit{t}}^{2}256 bits \end{gathered}$$	$$\begin{gathered} {\displaystyle \frac{{\mathit{t}}^2+\mathit{t}}{2}}{\mathit{T}}_{\mathit{E}\mathit{n}\mathit{c}}+{\displaystyle \frac{{\mathit{t}}^2-\mathit{t}}{2}}{\mathit{T}}_{\mathit{D}\mathit{e}\mathit{c}}+ \\ {\displaystyle \frac{{\mathit{t}}^2-\mathit{t}}{2}}{\mathit{T}}_{\mathit{H}\mathit{o}\mathit{m}\mathit{A}\mathit{d}\mathit{d}} \\ +{\displaystyle \frac{{\mathit{t}}^2-\mathit{t}}{2}}{\mathit{T}}_{\mathit{H}\mathit{o}\mathit{m}\mathit{M}\mathit{u}\mathit{l}} \end{gathered}$$	${\displaystyle \frac{{\mathit{t}}^2-\mathit{t}}{2}}$

is based on the study by Tu et al. [30]. Here, we highlight some critical details of the proposed scheme. Following the SM9 digital signature algorithm specifications, we selected a 256-bit prime number as the cyclic group’s order. This guarantees multiplicative inverses for all coefficients in the cyclic group, thereby facilitating the integration of Shamir’s secret sharing into our scheme. However, in the Paillier share conversion protocol, the computation involves number $\mathrm{m}\in \mathrm{Z}\mathrm{n}$, where n is the product of two primes p and q, which do not directly correspond to the cyclic group’s order N in the SM9 algorithm. To prevent computational errors due to cyclic group order discrepancies, p and q in the Paillier protocol are selected as 257-bit primes, exceeding twice N’s size. The choice is pivotal, as both Paillier protocols necessitate homomorphic multiplication and addition, i.e., ${\mathit{E}\mathit{n}\mathit{c}\left(\mathit{a}\right)}^{\mathit{b}}\mathit{\ast }\mathit{E}\mathit{n}\mathit{c}\left(\mathit{c}\right)=\mathit{E}\mathit{n}\mathit{c}\left(\mathit{a}\mathit{b}+\mathit{c}\right)$ for $\mathit{a},\mathit{b},\mathit{c}{\in }_{\mathit{R}}{\mathit{Z}}_{\mathit{N}}$. Consequently, n is a 514-bit, and the Paillier ciphertext is a 1028-bit random number. Table 2 shows that in the original scheme, each of t KGCs performs t Paillier encryptions, stores ciphertexts (1028 bits) and plaintexts (256 bits), receives t − 1 ciphertexts, and conducts decryption. Implementing the Paillier protocol yields t − 1 intermediate variable $\mathrm{r}{\in }_{\mathrm{R}}{\mathrm{Z}}_{\mathrm{N}}$ (256 bits), necessitating a storage total of $\left(2t^2-2t\right)1028 \mathrm{b}\mathrm{i}\mathrm{t}\mathrm{s}+\left(2t^2-t\right)256 \mathrm{b}\mathrm{i}\mathrm{t}\mathrm{s}$ in the original protocol. Beyond computational overhead, each KGC executes t − 1 homomorphic additions and multiplications, incurring a computational cost of $t^2{\mathrm{T}}_{\mathrm{E}\mathrm{n}\mathrm{c}}+\left(t^2-t\right){\mathrm{T}}_{\mathrm{D}\mathrm{e}\mathrm{c}}+\left(t^2-t\right){\mathrm{T}}_{\mathrm{H}\mathrm{o}\mathrm{m}\mathrm{A}\mathrm{d}\mathrm{d}}+\left(t^2-t\right){\mathrm{T}}_{\mathrm{H}\mathrm{o}\mathrm{m}\mathrm{M}\mathrm{u}\mathrm{l}}$. In our improvement scheme, t KGCs undertake (t + 1)/2 Paillier encryptions and store ciphertexts (1028 bits) and plaintexts, and the latter is computed from a 256-bit constant and a random number. Additionally, they obtain (t − 1)/2 ciphertexts and a 256-bit random number, with the Paillier protocol generating (t − 1)/2 intermediates r for storage, culminating in a total of ${\displaystyle \frac{{2t}^2+t}{2}}1028 \mathrm{b}\mathrm{i}\mathrm{t}\mathrm{s}+2t^{2}256 \mathrm{b}\mathrm{i}\mathrm{t}\mathrm{s}$ storage in the enhanced scheme. Exceeding the aforementioned computational cost, each KGC conducts (t − 1)/2 homomorphic additions and multiplications, accruing a total cost of ${\displaystyle \frac{t^2+t}{2}}{\mathrm{T}}_{\mathrm{E}\mathrm{n}\mathrm{c}}+{\displaystyle \frac{t^2-t}{2}}{\mathrm{T}}_{\mathrm{D}\mathrm{e}\mathrm{c}}+{\displaystyle \frac{t^2-t}{2}}{\mathrm{T}}_{\mathrm{H}\mathrm{o}\mathrm{m}\mathrm{A}\mathrm{d}\mathrm{d}}+{\displaystyle \frac{t^2–t}{2}}{\mathrm{T}}_{\mathrm{H}\mathrm{o}\mathrm{m}\mathrm{M}\mathrm{u}\mathrm{l}}$, where ${\mathrm{T}}_{\mathrm{E}\mathrm{n}\mathrm{c}}$ denotes the encryption operation time, ${\mathrm{T}}_{\mathrm{D}\mathrm{e}\mathrm{c}}$ denotes the decryption operation time, ${\mathrm{T}}_{\mathrm{H}\mathrm{o}\mathrm{m}\mathrm{A}\mathrm{d}\mathrm{d}}$ denotes the homomorphic addition operation time, and ${\mathrm{T}}_{\mathrm{H}\mathrm{o}\mathrm{m}\mathrm{M}\mathrm{u}\mathrm{l}}$ denotes the homomorphic multiplication operation time. From Table 2, it can be observed that our scheme has significantly improved storage space, computational time overhead, and communication rounds compared to the original scheme.

4.2. Experimental Analysis

Experimental validation for this study was conducted using a computer with a 3.0 GHz 6-core 64-bit AMD Ryzen 5 4600H processor and 16 GB of RAM, operating on a Windows 10 platform. The experimental design employed the Java Pairing-Based Cryptography (JPBC) library, adhering to the stringent SM9 standard recommendations for algorithm parameters. This adherence is pivotal, as it ensures that our findings hold practical significance in the field of the identification and verification of cryptographic algorithms. As shown in Figure 3 and

Table 3. Comparison of scheme time consumption.

Scheme Number of KGCs	Original Scheme	Improvement Scheme
5	82 ms	44 ms
10	365 ms	207 ms
15	768 ms	390 ms
20	1358 ms	721 ms
25	1909 ms	1087 ms
30	2781 ms	1536 ms
35	3767 ms	1957 ms
40	4842 ms	2437 ms
45	6009 ms	3086 ms
50	7212 ms	3850 ms
100	28,970 ms	14,441 ms

, by simulating the operational environment, the experiments were designed to emulate the implementation of multiple KGCs as part of a DKG system. The empirical evidence gleaned from these simulations offers a robust corroboration of the theoretical performance analysis previously detailed in this study. The results unambiguously affirm that our improved scheme aligns with theoretical predictions and provides a considerable enhancement in performance when compared to the original scheme.

The graphical data presented below detail a side-by-side comparison of the “Original Scheme” and “Improved Scheme” with an increasing number of KGCs. The original scheme is illustrated by an orange dashed trajectory, revealing a pronounced upward trend in computational time, which suggests scalability concerns. Conversely, the “Improved Scheme”, depicted by a steady blue line, indicates a tempered ascent in time with additional KGCs, illustrating a more scalable solution. The tabular data echo the graphical insights, clearly quantifying the differences in milliseconds ($\mathrm{m}\mathrm{s}$) across a spectrum of 5–100 KGCs, which reinforces the performance benefits of the improved scheme.

Notably, the combination of both graphical and tabular data encapsulated within these images provides a transparent and quantifiable assessment of the efficacy of the cryptographic schemes in question. The enhancement offered by the refined scheme is substantial, setting a new benchmark for system efficiency and scalability in cryptographic practices.

5. Conclusions

To address the challenges posed by the prohibitive cost of DKG within the SM9 framework, this study introduces an optimized approach called the SM9-based Lightweight Distributed Key Generation Scheme, which operates effectively in the absence of trusted centers. Through rigorous analysis, we successfully demonstrated the robust security credentials of the scheme within the EUF-CIA model, substantiating its resilience by demonstrating a reduction in the τ-BCAA1 problem under the random oracle model. Empirical evaluations further underscore the substantial enhancements in efficiency offered by our scheme, demonstrating a significant step forward in the practical deployment of distributed cryptographic solutions. However, a notable limitation of our proposed scheme is that it is constructed under the assumption of a semi-honest adversary. Future research will explore the utilization of zero-knowledge proofs and related technologies to develop a secure scheme under the assumption of malicious adversaries. This progression will enhance the applicability of our approach in more demanding scenarios where adversarial behavior may compromise security.