Practical Threshold Signatures

  • Victor Shoup
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1807)


We present an RSA threshold signature scheme. The scheme enjoys the following properties:
  1. 1.

    it is unforgeable and robust in the random oracle model, assuming the RSA problem is hard;

  2. 2.

    signature share generation and verification is completely non-interactive;

  3. 3.

    the size of an individual signature share is bounded by a constant times the size of the RSA modulus.



Hash Function Signature Scheme Secret Sharing Random Oracle Signature Share 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. BBM00. M. Bellare, A. Boldyreva, and S. Micali. Public-key encryption in a multi-user setting: security proofs and improvements. In Advances in Cryptology-Eurocrypt 2000, pages 259–274, 2000.Google Scholar
  2. BR93. M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for designing efficient protocols. In First ACM Conference on Computer and Communications Security, pages 62–73, 1993.Google Scholar
  3. CKS00. C. Cachin, K. Kursawe, and V. Shoup. Random oracles in Constantinople: practical asynchronous Byzantine agreement using cryptography. Manuscript, 2000.Google Scholar
  4. CP92. D. Chaum and T. Pedersen. Wallet databases with observers. In Advances in Cryptology-Crypto’ 92, pages 89–105, 1992.Google Scholar
  5. DDFY94. A. De Santis, Y. Desmedt, Y. Frankel, and M. Yung. How to share a function securely. In 26th Annual ACM Symposium on Theory of Computing, pages 522–533, 1994.Google Scholar
  6. Des87. Y. Desmedt. Society and group oriented cryptography: a new concept. In Advances in Cryptology-Crypto’ 87, pages 120–127, 1987.Google Scholar
  7. DF89. Y. Desmedt and Y. Frankel. Threshold cryptosystems. In Advances in Cryptology-Crypto’ 89, pages 307–315, 1989.Google Scholar
  8. DF91. Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In Advances in Cryptology-Crypto’ 91, pages 457–569, 1991.Google Scholar
  9. ElG85. T. ElGamal. A public key cryptosystem and signature scheme based on discrete logarithms. IEEE Trans. Inform. Theory, 31:469–472, 1985.zbMATHCrossRefMathSciNetGoogle Scholar
  10. FD92. Y. Frankel and Y. Desmedt. Parallel reliable threshold multisignature. Technical Report TR-92-04-02, Univ. of Wisconsin-Milwaukee, 1992.Google Scholar
  11. Fel87. P. Feldman. A practical scheme for non-interactive verifiable secret sharing. In 28th Annual Symposium on Foundations of Computer Science, pages 427–437, 1987.Google Scholar
  12. FGMY97a. Y. Frankel, P. Gemmall, P. MacKenzie, and M. Yung. Optimal-resilience proactive public-key cryptosystems. In 38th Annual Symposium on Foundations of Computer Science, 1997.Google Scholar
  13. FGMY97b. Y. Frankel, P. Gemmall, P. MacKenzie, and M. Yung. Proactive RSA. In Advances in Cryptology-Crypto’ 97, 1997.Google Scholar
  14. FS87. A. Fiat and A. Shamir. How to prove yourself: practical solutions to identification and signature problems. In Advances in Cryptology-Crypto’ 86, Springer LNCS 263, pages 186–194, 1987.Google Scholar
  15. GJKR96a. R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust and efficient sharing of RSA functions. In Advances in Cryptology-Crypto’ 96, pages 157–172, 1996.Google Scholar
  16. GJKR96b. R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust threshold DSS. In Advances in Cryptology-Eurocrypt’ 96, pages 354–371, 1996.Google Scholar
  17. Har94. L. Harn. Group-oriented (t, n) threshold digitial signature scheme and digital multisignature. IEE Proc.-Comput. Digit. Tech., 141(5):307–313, 1994.CrossRefGoogle Scholar
  18. MS95. S. Micali and R. Sidney. A simple method for generating and sharing pseudo-random functions, with applications to Clipper-like key escrow systems. In Advances in Cryptology-Crypto’ 95, pages 185–196, 1995.Google Scholar
  19. NR97. M. Naor and O. Reingold. Number-theoretic constructions of efficient pseudo-random functions. In 38th Annual Symposium on Foundations of Computer Science, 1997.Google Scholar
  20. Rab98. T. Rabin. A simplified approach to threshold and proactive RSA. In Advances in Cryptology-Crypto’ 98, 1998.Google Scholar
  21. RSA78. R. L. Rivest, A. Shamir, and L. M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, pages 120–126, 1978.Google Scholar
  22. Sha79. A. Shamir. How to share a secret. Communications of the ACM, 22:612–613, 1979.CrossRefGoogle Scholar
  23. Sho97. V. Shoup. Lower bounds for discrete logarithms and related problems. In Advances in Cryptology-Eurocrypt’ 97, 1997.Google Scholar
  24. Sho99. V. Shoup. On formal models for secure key exchange. IBM Research Report RZ 3120, April 1999.Google Scholar
  25. Sta96. M. Stadler. Publicly verifiable secret sharing. In Advances in Cryptology-Eurocrypt’ 96, pages 190–199, 1996.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Victor Shoup
    • 1
  1. 1.IBM Zürich Research LabRüschlikonSwitzerland

Personalised recommendations