Practical threshold signatures with linear secret sharing schemes

Abstract

Function sharing deals with the problem of distribution of the computation of a function (such as decryption or signature) among several parties. The necessary values for the computation are distributed to the participating parties using a secret sharing scheme (SSS). Several function sharing schemes have been proposed in the literature, with most of them using Shamir secret sharing as the underlying SSS. In this paper, we investigate how threshold cryptography can be conducted with any linear secret sharing scheme and present a function sharing scheme for the RSA cryptosystem. The challenge is that constructing the secret in a linear SSS requires the solution of a linear system, which normally involves computing inverses, while computing an inverse modulo φ(N) cannot be tolerated in a threshold RSA system in any way. The threshold RSA scheme we propose is a generalization of Shoup's Shamir-based scheme. It is similarly robust and provably secure under the static adversary model. At the end of the paper, we show how this scheme can be extended to other public key cryptosystems and give an example on the Paillier cryptosystem. © 2009 Springer Berlin Heidelberg.