This section is intended to introduce the reader to various aspects of art, which may be related to various aspects of the present disclosure that are described and/or claimed below. This discussion is believed to be helpful in providing the reader with background information to facilitate a better understanding of the various aspects of the present disclosure. Accordingly, it should be understood that these statements are to be read in this light, and not as admissions of prior art.
Threshold cryptography relies on the fact that a cryptographic function (such as a decryption function or a signature function) is implemented in a distributed way on a plurality of devices that store private data, and can collaborate (e.g. when a number of devices which is beyond a defined threshold collaborate, the cryptographic function can be executed/computed). In the rest of the document, we focus on threshold signature schemes. Threshold signature schemes were first described in the article “Threshold Cryptosystems” by Y. Desmedt et al., published in the proceedings of the conference Crypto 89. In threshold signature schemes a secret key is split into several private shares that are distributed among n devices (such distribution is performed either via the use of a trusted device, or via an interactive protocol between the devices). Hence, such secret key is partially distributed on the devices involved in the scheme. To sign a message M any subset of strictly more than t devices can use their shares of the secret and execute an interactive signature generation protocol, which outputs a signature of M that can be verified by anybody using a unique fixed public key. The security notion for threshold signature schemes requires that no polynomial-time adversary that corrupts any t devices can learn any information about the secret key or can forge a valid signature on a new message of its choice with the help of a trusted dealer or without it by running an interactive protocol among all devices.
The security of threshold signature schemes has been extensively studied during the past years. Indeed, some security issues such as robustness (either in the random oracle model, or in the standard model), proactiveness, technique to support as high as possible a threshold t, efficiency in terms of computations, efficiency in terms of number of interactions between devices, the length of the shares, the use of a trusted device, adversary model (i.e. static or dynamic adversary), etc. have been raised, and some threshold signature schemes have been proposed in order to meet some of these requirements.
However, currently known adaptively secure threshold signatures require either interaction among servers during the signing process, long private key shares or reliable erasures (namely, servers should be able to perfectly erase intermediate computation results). Indeed, to the authors' knowledge, the most efficient adaptively secure non-interactive threshold signature is currently the construction obtained by applying the techniques disclosed in the article “Shorter IBE and Signatures via Asymmetric Pairings” by J. Chen et al., published in the proceedings of the conference Pairing 2012, to the system disclosed in the article entitled “Adaptively Secure Non-Interactive Threshold Cryptosystems” by B. Libert et al., published in the proceedings of the conference ICALP 2011. Concretely, at the 128-bit security level, each signature is comprised of 1024 bits (or 4 times 256 bits as each signature contains 4 group elements). However, the latter scheme requires safe erasures at each server.
The proposed technique aims to fill that gap.