[ Last changed: 27th January 1997 ]
Often the power to use a cryptosystem has to be shared. In threshold schemes, k-out-of-l have the power to generate a secret key (while less than k have not). However threshold schemes cannot be used directly in many applications, such as threshold signatures in which k-out-of-l have to co-sign a message. For a normal threshold scheme would require the shareholders to send their shares to a trusted person who would sign for them. But the use of such a trusted person violates the main point of threshold signatures!
The first concepts of threshold cryptography were independently introduced by Boyd, Croft-Harris and Desmedt; and schemes for threshold decryption, threshold authentication and threshold signature have been presented recently. At Crypto '92, Micali argued that the use of verifiable threshold schemes would facilitate the enforcement of court ordered wiretapping.
We first overview the research in the field and then present a threshold signature scheme which is as secure as RSA. This has the property that a court does not need to order the disclosure of a master key, but only the decryption of individual messages.