The invention relates to secure determination of a solution (S) to a computational task by a dealer-free threshold signature group. Access to a resource or reward is offered in exchange for the solution. The method enables individuals in said group to work together in a trust-less, or dealer-free manner. To achieve this, individuals generate their own key pair and use their public key to establish with the group an initial shared public key that they can all use, in parallel, to find a solution to the task. Their own private keys remain secret and, therefore, the collaboration is trustless, and operates efficiently, because a verified shared public key is created using the initial shared public key that was used when a solution is found and verified. The resource or reward can be secured by the verified shared public key. Because the private keys of each participant were used in the determination of the initial shared public key that lead to the solution then participants must then collaborate to unlock the resource or reward because the corresponding shared private key can only be generated by all participants or a pre-agreed threshold of participants. Efficiency is achievable by using an initial shared public key and calculating with the group a verified shared public key after the solution has been found. The invention enables the task to be trust-less by using the homomorphic properties of elliptic curve cryptography when applying Shamir's secret sharing scheme. The inventive concept resides in the secure, trust-less and efficient way in which a group can collaborate. The invention can be agnostic to the task.

Embodiments of a secure multi-party computation method applicable to any computing node deployed in a distributed network are provided. A plurality of computing nodes are deployed in the distributed network. The plurality of computing nodes jointly participate in a secure multi-party computation based on private data respectively held by the computing nodes. The method includes: generating a computing parameter related to private data held by one computing node based on a secure multi-party computation algorithm; transmitting the computing parameter to other computing nodes participating in the secure multi-party computation for the other computing nodes to perform the secure multi-party computation based on collected computing parameters transmitted by the computing nodes participating in the secure multi-party computation; and creating an audit log corresponding to the computing parameter, the audit log recording description information related to the computing parameter.

A computer implemented voting process (2) for executing a blockchain transaction, such as a transaction on the Bitcoin blockchain, is disclosed. The process comprises distributing shares (6) of a first common secret among a plurality of participants (4), wherein the first common secret implements an automated voting process (14) by the participants and is accessible to a first threshold number of shares and is inaccessible to less than the first threshold number of shares. The process further comprises determining (10, 12), based on different numbers of said shares of the first common secret held by a plurality of the participants, at least one combination of shares held by a plurality of the participants, to provide the first threshold number of shares.

Embodiments of a multi-party secure computation method applicable to any one computing node deployed in a distributed network are provided. A plurality of computing nodes are deployed in the distributed network, the plurality of computing nodes jointly participate in a secure multi-party computation based on respectively held private data, and the computing node that performs the method is connected to a trusted random source. The method includes: obtaining a trusted random number from the trusted random source; performing an operation on the held private data based on the obtained trusted random number to obtain an operation result; and transmitting a computing parameter comprising at least the trusted random number to other computing nodes participating in secure multi-party computation, so that the other computing nodes perform the secure multi-party computation based on collected computing parameters transmitted by the computing nodes participating in the secure multi-party computation.

Embodiments of a secure multi-party computation method applicable to any one computing node of a plurality of computing nodes deployed in a distributed network are provided. The plurality of computing nodes jointly participate in a secure multi-party computation based on private data held by each computing node. The computing node is connected to a trusted key source, and the method includes: obtaining a trusted key from the trusted key source; encrypting the private data held by the computing node based on the obtained trusted key to obtain ciphertext data; transmitting a computing parameter comprising at least the ciphertext data to other computing nodes participating in the secure multi-party computation, so that the other computing nodes perform the secure multi-party computation based on collected computing parameters transmitted by the computing nodes participating in the secure multi-party computation.

According to an aspect, there is provided a method of operating a first computing node to distribute a computation output, the method comprising: determining a first random mask; providing the first random mask as a private input to a computation by a first evaluator node and a second evaluator node; receiving, from each of the first evaluator node and the second evaluator node, a respective masked computation output, wherein each masked computation output is a function of an output of the computation and the first random mask; if the received respective masked computation outputs match, determining the output of the computation from the received masked computation output and the first random mask; and sending information to the first evaluator node and the second evaluator node to enable the first evaluator node and the second evaluator node to determine the output of the computation from the respective masked computation output.

A method of transferring control of a digital asset (2) is disclosed. The method comprises distributing shares d.sub.Ai of a first private key d.sub.A of an elliptic curve cryptography (ECC) system among a plurality of first participants (4). The first private key is accessible by means of a first threshold number (6) of shares d.sub.Ai of the first private key, and is inaccessible in the absence of the first threshold number of shares, and access to the digital asset (2) is provided by digital signature of a first encrypted message with the first private key. Shares of a deterministic key D.sub.k of the cryptography system are distributed among the either the first participants or a plurality of second participants, wherein the deterministic key is accessible by means of a second threshold number of shares of the deterministic key, and is inaccessible in the absence of the second threshold number of shares. A second encrypted message is provided wherein access to the digital asset (2) is provided by digital signature of the second encrypted message with a second private key d.sub.A+D.sub.k of the cryptography system, wherein the second private key is related to said first private key by the deterministic key D.sub.k. Shares S(of the second encrypted message signed with the second private key are generated, wherein the second encrypted message can be signed with the second private key by means of a third threshold number (12) of shares of the signed message, and cannot be signed in the absence of the third threshold number of shares.

The secret calculation system comprises three secret calculation apparatuses. An i.sup.th secret calculation apparatus (i=1, 2, 3) comprises a holder that holds (S[i], T[i]) and (S[i], T[i]) as distributed values of an n-bit number W and an n-bit W (n is any natural number), respectively; a first multiplicator that derives a logical conjunction of S[i] and S[i]; a second multiplicator that derives a logical conjunction of T[i] and T[i]; and a first subtractor that derives a difference between the logical conjunction derived by the first multiplicator and the logical conjunction derived by the second multiplicator.

This numerical splitting device: acquires a numerical value w and a parameter p; generates a first random number r1 and a second random number r2; computes a third random number r3 based on the numerical value w, parameter p, first random number r1, and second random number r2 according to an expression, r3=wr1-r2 mod p; computes first to third segments s1, s2, s3 based on the first to third random numbers r1, r2, r3 and the parameter p according to expressions, s1=r1+r2 mod p, s2=r2+r3 mod p, and s3=r3+r1 mod p; and transmits a pair of the first segment s1 and the second random number r2, a pair of the second segment s2 and the third random number r3, and a pair of the third segment s3 and the first random number r1 to first to third secure computation devices, respectively.

An aggregate sum is efficiently obtained while keeping confidentiality. A prefix-sum part computes a prefix-sum from a share of a sorted value attribute. A flag converting part converts a format of a share of a flag representing the last element of a group. A flag applying part generates a share of a vector in which a prefix-sum is set when a flag representing the last element of a group is true, and a sum of the whole is set when the flag is false. A sorting part generates a share of a sorted vector obtained by sorting a vector with a permutation which moves elements so that the last elements of each group are sequentially arranged from beginning. A sum computing part generates a share of a vector representing a sum for each group.