[cryptography] Practical Threshold Signatures

realcr realcr at gmail.com
Tue Nov 12 12:33:49 EST 2013

Hi, I recently read the article "Threshold Signatures, Multisignatures and
Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme", written
Alexandra Boldyreva. Link can be found here:
https://www.iacr.org/archive/pkc2003/25670031/25670031.pdf.  (Note: If you
going to read this, my question refers to the first parts of the article -
part 3 and including it.)

Does anyone here have any past experience with working implementations of
Threshold Signature mechanisms, or can point me somehow on the path to
implementing this the right way?

I will elaborate a bit about what I already know:

About Threshold Signatures:
There are n parties, and we want that k out of those n parties will have the
ability to sign in the name of the whole group of n parties. The naive
could be to collect enough regular signatures from k participants, and the
concatenated result could serve us as a crude Threshold Signature.

A more advanced solution might be able to produce a final signature which
is of
smaller size, or even of the same size of a regular signature.

Very short summary of the first part of Alexandra's article:
- There are some groups where the Gap Diffie Hellman property is assumed
(It is
    easy to solve the Decisional Diffie Hellman problem, but hard to solve
    Computational Diffie Hellman problem).

- Given that g is some (known to all parties) element of the group G, in
    to generate an identity to sign with, a party randomizes some x, and
defines y
    = g^x to be the public key.

- In order to sign a message m, the party calculates (H(m))^x, where H is a
    function into G.

- A secret x could be shared (For example using Shamir secret sharing), and
    every party gets a private share of the secret. Thus party P_i for
    gets its share x_i of the secret.

- Because of the very simple structure of the signature, it is possible to
    combine signature shares of the form (H(m))^x_i together using lagrange
    interpolation to get the signature over the message m, which will
result in

My question about this scheme is as follows: Do you guys know any good GDH
diffie hellman) groups that we can actually count on? I didn't manage to
anything myself. In addition, I notice that the signature proposed does not
involve any randomness in it. (It looks like ElGamal without the extra
what do you think about it?

Modified ElGamal Alternative:
If you managed to read so far, you must be interested enough to hear about
another alternative. I found the article "Group-oriented (t,n) threshold
signature scheme and digital multisignature" by L.Harn.

This article proposes some kind of modified ElGamal algorithm to be able to
do a
similar trick, in order to acheive threshold signatures. My problem here is
I'm not sure whether this modification is something that I can actually
and what is the right way to generate keys for this modified algorithm.

Victor Shoup's RSA Threshold Signatures:
I read a bit about Victor Shoup's idea for Threshold signatures in the
"Practical Threshold Signatures". I really liked it, though I can't put that
into use because it requires a trusted party to set up the secrets before
protocols begin. The other two options I discussed above have the following
attractive property: The secret is just a random number, not a pair of prime
numbers or any special number theoretical object. Thus it is far easier to
the secrets between the parties in the protocol in a distributed manner.

I am aware of some attempts in other articles to remove the trusted party
out of
the pre-setting of secrets in Victor Shoup's Threshold Signature, however it
seems to be very communication Expensive, much more than the actual
protocol I
want to run later. Thus I prefer not the use this schema, and I really want
make one of the former discussed schemas work.

If you happen to know about working code on this subject, or an idea about
implementing a nice one, please make sure to drop a message. I would
like to participate if you are coding something of this type.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20131112/943ec658/attachment.html>

More information about the cryptography mailing list