Threshold cryptography

You are here:
< All Topics

A secret can be shared among n parties in such a way that t or more of them can recreate the secret. At the same time, t-1 parties have no information about the secret. This enables fine-grained control over a secret such as secret keys. The secret does not have to be recovered directly, but rather the secret shares can be used to perform linear operations. This includes some signature schemes, such as Schnorr signatures, where all key operations are linear. Each of the t parties will sign the message using their key share such that the resulting signature is created by the full secret key but that key is never revealed in the clear. Such a signature scheme is called a threshold signature. Linear secret sharing schemes rely on the observation that a degree t-1 polynomial can be interpolated given any t distinct points along with the polynomial evaluated at these points. However, given just t-1 evaluations the polynomial remains completely undefined.

Previous Zero-knowledge proofs
Next Non-interactive sigma-protocols
Table of Contents