Movatterモバイル変換

[0]ホーム
URL:

Jump to content
WikipediaThe Free Encyclopedia
Search

Threshold cryptosystem

From Wikipedia, the free encyclopedia
Type of cryptosystem

Athreshold cryptosystem, the basis for the field ofthreshold cryptography, is acryptosystem in which the secret key is split into a number of pieces that are given to different parties. Several parties (more than some threshold number) can then cooperate to use the cryptosystem.

More precisely, letn{\displaystyle n} be the number of parties. A cryptosystem is called(t,n)-threshold, if at leastt of these parties can cooperate to perform the desired operation (usually sign a message or decrypt a ciphertext), while any subset of fewer thant parties cannot.[1]

Threshold cryptography allows to store secrets in multiple locations to prevent the capture of the secret and the subsequentcryptanalysis of that system. This makes the method a primary trust sharing mechanism, besides its safety of storage aspects.

Constructions for threshold cryptosystems often combine an existing non-threshold cryptosystem with asecret sharing.

History

[edit]

Perhaps the first system with complete threshold properties for atrapdoor function (such asRSA) and a proof of security was published in 1994 by Alfredo De Santis, Yvo Desmedt, Yair Frankel, andMoti Yung.[2]

Historically, only organizations with very valuable secrets, such ascertificate authorities, the military, and governments made use of this technology. One of the earliest implementations was done in the 1990s byCertco for the planned deployment of the originalSecure electronic transaction.[3]However, in October 2012, after a number of large public website password ciphertext compromises,RSA Security announced that it would release software to make the technology available to the general public.[4]

In March 2019, the National Institute of Standards and Technology (NIST) conducted a workshop on threshold cryptography to establish consensus on applications, and define specifications.[5] In July 2020, NIST published "Roadmap Toward Criteria for Threshold Schemes for Cryptographic Primitives" as NIST IR 8214A[6]. In August 2022, NIST published an initial public draft for "Notes on Threshold EdDSA/Schnorr Signatures" as NIST IR 8214B.[7] In January 2023, NIST published an initial public draft for the "NIST First Call for Multi-Party Threshold Schemes" as NIST IR 8214C, followed by a second public draft in March 2025.[8]

Threshold signatures

[edit]

In a(t,n) threshold signature scheme, a signing key is split inton shares, each share being given to a party. Any subset of at leastt of then parties behaving honestly can cooperate to jointly sign a message. On the other hand, every subset of fewer thant parties cannot forge a signature, even if they collude.

There is a trivial way to create a threshold signature scheme using anysignature scheme. Each of then parties generates its own secret signing key, and publishes the corresponding verification key. A party willing to sign a message simply signs it with its own individual key, and publishes its signature. A signature for the threshold signature scheme is a concatenation of (at least)t individual signatures, and can be verified by verifying the individual signatures one by one. The downside of this trivial approach is that the size of the signature and the time needed for verification grows linearly witht. Usually, it is desired that the size of the signature and the time needed for verification are constant int andn.

Many existing signature schemes have been thresholdized, notablySchnorr signatures[9],ECDSA[10][11][12], andBLS[13].

Threshold decryption

[edit]

Similarly to threshold signatures, public-key encryption schemes can be thresholdized, so that at leastt parties must cooperate to decrypt a message.

Such threshold versions have been defined by the above and for the following schemes:

See also

[edit]

References

[edit]
  1. ^Desmedt, Yvo; Frankel, Yair (1990)."Threshold cryptosystems". In Brassard, Gilles (ed.).Advances in Cryptology — CRYPTO' 89 Proceedings. Lecture Notes in Computer Science. Vol. 435. New York, NY: Springer. pp. 307–315.doi:10.1007/0-387-34805-0_28.ISBN 978-0-387-34805-6.
  2. ^Alfredo De Santis, Yvo Desmedt, Yair Frankel,Moti Yung: How to share a function securely. STOC 1994: 522-533[1]
  3. ^Visa and Mastercard have just announced the selection of two companies -- CertCo and Spyrus, 1997-05-20, retrieved2019-05-02.
  4. ^Tom Simonite (2012-10-09)."To Keep Passwords Safe from Hackers, Just Break Them into Bits".Technology Review. Retrieved2020-10-13.
  5. ^"Threshold Cryptography".csrc.nist.gov. 2019-03-20. Retrieved2019-05-02.
  6. ^Brandão, Luís T. A. N.; Davidson, Michael; Vassilev, Apostol (2020-07-07)."NIST Roadmap Toward Criteria for Threshold Schemes for Cryptographic Primitives".Computer Security Resource Center.NIST.doi:10.6028/NIST.IR.8214A. Retrieved2021-09-19.
  7. ^Brandão, Luís T. A. N.; Davidson, Michael (2022-12-08)."Notes on Threshold EdDSA/Schnorr Signatures".Computer Security Resource Center.NIST.doi:10.6028/NIST.IR.8214B.ipd. Retrieved2025-10-21.
  8. ^Brandão, Luís T. A. N.; Peralta, Rene (2025-03-27)."NIST First Call for Multi-Party Threshold Schemes".Computer Security Resource Center.NIST.doi:10.6028/NIST.IR.8214C.2pd. Retrieved2025-10-21.
  9. ^Komlo, Chelsea; Goldberg, Ian (2021)."FROST: Flexible Round-Optimized Schnorr Threshold Signatures". In Dunkelman, Orr; Jacobson, Michael J. Jr.; O'Flynn, Colin (eds.).Selected Areas in Cryptography. Lecture Notes in Computer Science. Vol. 12804. Cham: Springer International Publishing. pp. 34–65.doi:10.1007/978-3-030-81652-0_2.ISBN 978-3-030-81652-0.S2CID 220794784.
  10. ^Green, Marc; Eisenbarth, Thomas (2015)."Strength in Numbers: Threshold ECDSA to Protect Keys in the Cloud"(PDF).IACR.
  11. ^Gennaro, Rosario; Goldfeder, Steven; Narayanan, Arvind (2016)."Threshold-optimal DSA/ECDSA signatures and an application to Bitcoin wallet security"(PDF).Applied Cryptography and Network Security. ACNS 2016.doi:10.1007/978-3-319-39555-5_9.
  12. ^Gągol, Adam; Straszak, Damian; Świętek, Michał; Kula, Jędrzej (2019)."Threshold ECDSA for Decentralized Asset Custody"(PDF).IACR.
  13. ^Bacho, Renas; Loss, Julian (2022)."On the Adaptive Security of the Threshold BLS Signature Scheme".Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS '22). Los Angeles, CA, USA: Association for Computing Machinery. pp. 193–207.doi:10.1145/3548606.3560656.ISBN 9781450394505.
  14. ^Ivan Damgård, Mads Jurik:A Length-Flexible Threshold Cryptosystem with Applications. ACISP 2003: 350-364
  15. ^Ivan Damgård, Mads Jurik:A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System. Public Key Cryptography 2001: 119-136
  16. ^Nishide, Takashi; Sakurai, Kouichi (2011)."Distributed Paillier Cryptosystem without Trusted Dealer". In Chung, Yongwha; Yung, Moti (eds.).Information Security Applications. Lecture Notes in Computer Science. Vol. 6513. Berlin, Heidelberg: Springer. pp. 44–60.doi:10.1007/978-3-642-17955-6_4.ISBN 978-3-642-17955-6.
Algorithms
Integer factorization
Discrete logarithm
Lattice/SVP/CVP/LWE/SIS
Others
Theory
Standardization
Topics
General
Mathematics
Retrieved from "https://en.wikipedia.org/w/index.php?title=Threshold_cryptosystem&oldid=1336993883"
Category:
Hidden categories:
[8]ページ先頭
©2009-2026 Movatter.jp