2

Threshold decryption of public-key encryption schemes allows the decryption key to be distributed among trustees. Then, to decrypt the ciphertext it requires at least threshold t trustees to run the decryption protocol in order to get the plain text.

Now, most of the literature is either based on generic multiparty computation (which I am not keen on for some reason) or based on distributed RSA decryption and sharing RSA functions.

Are there any other ways of achieving distributed asymmetric key threshold decryption?
Will elliptic curves be a good choice for distributing the decryption?

vishnuvp
  • 418
  • 5
  • 15
sashank
  • 6,234
  • 4
  • 36
  • 68

2 Answers2

6

I assume you say on the threshold encryption scheme, in which a dealer generates $(PK,SK_1,\dots,SK_n)$ and distributes the secret keys to users indexed by $1,\dots,n$, and if a combiner obtains $t$ partially-decrypted ciphertexts, it can retrieve a plaintext.

  • Dodis and Katz showed a generic construction of CCA-secure threshold encryption scheme from a secret sharing scheme and a CCA-secure labeled PKE scheme. See the paper, Dodis and Katz: Chosen-Ciphertext Security of Multiple Encryption (TCC 2005).
  • DDH-based constructions (in ROM) are proposed by Gennaro and Shoup: Securing threshold cryptosystems against chosen ciphertext attack (EUROCRYPT 1998, JoC 2002).
  • You can also find a pairing-based construction in Boneh, Boyen and Halevi: Chosen Ciphertext Secure Public Key Threshold Encryption Without Random Oracles (CT-RSA 2006).
xagawa
  • 2,206
  • 14
  • 23
0

I add a new one: Secure Multiparty Computation from Threshold Encryption based on Class Groups (2023 CRYPTO)

Eric_Qin
  • 807
  • 7
  • 13