Robust Threshold DSS Signatures

  • Rosario Gennaro
  • Stanisław Jarecki
  • Hugo Krawczyk
  • Tal Rabin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1070)


We present threshold DSS (Digital Signature Standard) signatures where the power to sign is shared by n players such that for a given parameter t < n/2 any subset of 2t + 1 signers can collaborate to produce a valid DSS signature on any given message, but no subset of t corrupted players can forge a signature (in particular, cannot learn the signature key). In addition, we present a robust threshold DSS scheme that can also tolerate n/3 players who refuse to participate in the signature protocol. We can also endure n/4 maliciously faulty players that generate incorrect partial signatures at the time of signature computation. This results in a highly secure and resilient DSS signature system applicable to the protection of the secret signature key, the prevention of forgery, and increased system availability.

Our results significantly improve over a recent result by Langford from CRYPTO’95 that presents threshold DSS signatures which can stand much smaller subsets of corrupted players, namely, t ≈ √n, and do not enjoy the robustness property. As in the case of Langford’s result, our schemes require no trusted party. Our techniques apply to other threshold ElGamal-like signatures as well. We prove the security of our schemes solely based on the hardness of forging a regular DSS signature.


Signature Scheme Malicious Adversary Threshold Secret Sharing Undeniable Signature Secret Sharing Protocol 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [BGW88]
    M. Ben-Or, S. Goldwasser, and A. Wigderson. Completeness Theorems for Noncryptographic Fault-Tolerant Distributed Computations. In Proc. 20th ACM Symp. on Theory of Computing, pages 1–10, 1988.Google Scholar
  2. [Boy86]
    C. Boyd. Digital Multisignatures. In H. Baker and F. Piper, editors, Cryptography and Coding, pages 241–246. Claredon Press, 1986.Google Scholar
  3. [BW]
    E. Berlekamp and L. Welch. Error correction of algebraic block codes. US Patent 4,633,470.Google Scholar
  4. [CCD88]
    D. Chaum, C. Crepeau, and I. Damgard. Multiparty Unconditionally Secure Protocols. In Proc. 20th ACM Symp. on Theory of Computing, pages 11–19, 1988.Google Scholar
  5. [Cha90]
    D. Chaum. Zero-knowledge undeniable signatures. In Proc. EUROCRYPT 90, pages 458–464. Springer-Verlag, 1990. Lecture Notes in Computer Science No. 473.Google Scholar
  6. [DDFY94]
    Alredo De Santis, Yvo Desmedt, Yair Frankel, and Moti Yung. How to share a function securely. In Proc. 26th ACM Symp. on Theory of Computing, pages 522–533, Santa Fe, 1994.Google Scholar
  7. [Des88]
    Yvo Desmedt. Society and group oriented cryptography: A new concept. In Carl Pomerance, editor, Proc. CRYPTO 87, pages 120–127. Springer-Verlag, 1988. Lecture Notes in Computer Science No. 293.Google Scholar
  8. [Des94]
    Yvo G. Desmedt, Threshold cryptography. European Transactions on Telecommunications, 5(4):449–457, July 1994.MathSciNetCrossRefGoogle Scholar
  9. [DF90]
    Yvo Desmedt and Yair Frankel. Threshold cryptosystems. In G. Brassard, editor, Proc. CRYPTO 89, pages 307–315. Springer-Verlag, 1990. Lecture Notes in Computer Science No. 435.CrossRefGoogle Scholar
  10. [DF92]
    Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In J. Feigenbaum, editor, Proc. CRYPTO 91, pages 457–469. Springer-Verlag, 1992. Lecture Notes in Computer Science No. 576.Google Scholar
  11. [ElG85]
    T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Info. Theory, IT 31, 1985.Google Scholar
  12. [Fel87]
    P. Feldman. A Practical Scheme for Non-Interactive Verifiable Secret Sharing. In Proc. 28th IEEE Symp. on Foundations of Comp. Science, pages 427–437, 1987.Google Scholar
  13. [FGY96]
    Y. Frankel, P. Gemmel, and M. Yung. Witness-based cryptographic program checking and robust function sharing. To appear in proceedings of STOC96, 1996.Google Scholar
  14. [FM88]
    P. Feldman and S. Micali. An Optimal Algorithm for Synchronous Byzantine Agreement. In Proc. 20th ACM Symp. on Theory of Computing, pages 148–161, 1988.Google Scholar
  15. [fST91]
    National Institute for Standards and Technology. Digital Signature Standard (DSS). Technical Report 169, August 30 1991.Google Scholar
  16. [Gen96]
    Rosario Gennaro. Theory and practice of verifiable secret sharing. Ph.D. thesis, Massachusetts Institute of Technology, to appear, 1996.Google Scholar
  17. [GJKR96]
    Rosario Gennaro, Stanislaw Jarecki, Hugo Krawczyk, and Tal Rabin. Robust and efficient sharing of rsa functions. manuscript, 1996.Google Scholar
  18. [GMR88]
    Shafi Goldwasser, Silvio Micali, and Ronald L. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Computing, 17(2):281–308, April 1988.CrossRefzbMATHMathSciNetGoogle Scholar
  19. [GMR89]
    S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof-systems. SIAM. J. Computing, 18(1):186–208, February 1989.CrossRefzbMATHMathSciNetGoogle Scholar
  20. [Har94]
    L. Harn. Group oriented (t,n) digital signature scheme. IEEE Proc.-Comput.Digit.Tech, 141(5), Sept 1994.Google Scholar
  21. [HJJ+95]_Amir Herzberg, Markus Jakobson, Stanislaw Jarecki, Hugo Krawczyk, and Moti Yung. Proactive proactive public key and signature systems. manuscript, 1995.Google Scholar
  22. [HJKY95]
    Amir Herzberg, Stanislaw Jarecki, Hugo Krawczyk, and Moti Yung. Proactive secret sharing, or: How to cope with perpetual leakage. In Proc. CRYPTO 95. Springer-Verlag, August 1995. Lecture Notes in Computer Science No. 963.Google Scholar
  23. [HPM94]
    P. Horster, H. Petersen, and M. Michels. Meta-elgamal signatures schemes. In 2nd ACM Conference on Computer and Communications Security, pages 96–107, 1994.Google Scholar
  24. [Lan95]
    S. Langford. Threshold dss signatures without a trusted party. In Crypto’95, pages 397–409. Springer-Verlag, 1995. Lecture Notes in Computer Science No. 963.Google Scholar
  25. [MR92]
    S. Micali and P. Rogaway. Secure computation. In J. Feigenbaum, editor, Proc. CRYPTO 91, pages 392–404. Springer-Verlag, 1992. Lecture Notes in Computer Science No. 576.Google Scholar
  26. [MS81]
    R. McEliece and D. Sarwate. On sharing secrets and reed-solomon codes. Communications of the ACM, 24(9):583–584, September 1981.CrossRefMathSciNetGoogle Scholar
  27. [NR94]
    K. Nyberg and R. Rueppel. Message recovery for signature schemes based on the discrete logarithm problem. In Proc. EUROCRYPT 94, pages 175–190, 1994.Google Scholar
  28. [Ped91a]
    T. Pedersen. Distributed provers with applications to undeniable signatures. In Proc. EUROCRYPT 91, 1991.Google Scholar
  29. [Ped91b]
    T. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. In Proc. CRYPTO 91, pages 129–140, 1991.Google Scholar
  30. [Rab95]
    M. Rabin. A Simplification Approach to Distributed Multiparty Computations. personal communication, 1995.Google Scholar
  31. [Sch91]
    C. P. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4:161–174, 1991.CrossRefzbMATHGoogle Scholar
  32. [Sha79]
    A. Shamir. How to Share a Secret. Communications of the ACM, 22:612–613, 1979.CrossRefzbMATHMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1996

Authors and Affiliations

  • Rosario Gennaro
    • 1
  • Stanisław Jarecki
    • 1
  • Hugo Krawczyk
    • 2
  • Tal Rabin
    • 1
  1. 1.MIT Laboratory for Computer ScienceCambridgeUSA
  2. 2.IBM T.J. Watson Research CenterYorktown HeightsUSA

Personalised recommendations