{{Short description|Type of cryptosystem}} A '''threshold cryptosystem''', the basis for the field of '''threshold cryptography''', is a cryptosystem in which the secret key is split into a number of pieces that are given to different parties. Several parties (more than some threshold number) can then cooperate to use the cryptosystem.

More precisely, let <math>n</math> be the number of parties. A cryptosystem is called ''(t,n)''-threshold, if at least ''t'' of these parties can cooperate to perform the desired operation (usually sign a message or decrypt a ciphertext), while any subset of fewer than ''t'' parties cannot.<ref>{{Cite book |last1=Desmedt |first1=Yvo |last2=Frankel |first2=Yair |title=Advances in Cryptology — CRYPTO' 89 Proceedings |chapter=Threshold cryptosystems |date=1990 |editor-last=Brassard |editor-first=Gilles |chapter-url=https://link.springer.com/chapter/10.1007/0-387-34805-0_28 |series=Lecture Notes in Computer Science |volume=435 |language=en |location=New York, NY |publisher=Springer |pages=307–315 |doi=10.1007/0-387-34805-0_28 |isbn=978-0-387-34805-6}}</ref>

Threshold cryptography allows to store secrets in multiple locations to prevent the capture of the secret and the subsequent cryptanalysis of that system. This makes the method a primary trust sharing mechanism, besides its safety of storage aspects.

Constructions for threshold cryptosystems often combine an existing non-threshold cryptosystem with a secret sharing.

==History== Perhaps the first system with complete threshold properties for a trapdoor function (such as RSA) and a proof of security was published in 1994 by Alfredo De Santis, Yvo Desmedt, Yair Frankel, and Moti Yung.<ref>Alfredo De Santis, Yvo Desmedt, Yair Frankel, Moti Yung: How to share a function securely. STOC 1994: 522-533 [http://dl.acm.org/citation.cfm?doid=195058.195405]</ref>

Historically, only organizations with very valuable secrets, such as certificate authorities, the military, and governments made use of this technology. One of the earliest implementations was done in the 1990s by Certco for the planned deployment of the original Secure electronic transaction.<ref>{{citation|url=http://www.geocities.ws/rayvaneng/w0597_09.htm|title=Visa and Mastercard have just announced the selection of two companies -- CertCo and Spyrus|date=1997-05-20|access-date=2019-05-02}}.</ref> However, in October 2012, after a number of large public website password ciphertext compromises, RSA Security announced that it would release software to make the technology available to the general public.<ref>{{cite news |url=https://www.technologyreview.com/2012/10/09/183378/to-keep-passwords-safe-from-hackers-just-break-them-into-bits/ |title=To Keep Passwords Safe from Hackers, Just Break Them into Bits | author=Tom Simonite |date=2012-10-09 |work=Technology Review |access-date=2020-10-13}}</ref>

In March 2019, the National Institute of Standards and Technology (NIST) conducted a workshop on threshold cryptography to establish consensus on applications, and define specifications.<ref>{{cite web|url=https://csrc.nist.gov/projects/threshold-cryptography |title=Threshold Cryptography |website=csrc.nist.gov |date=2019-03-20 |access-date=2019-05-02}}</ref> In July 2020, NIST published "Roadmap Toward Criteria for Threshold Schemes for Cryptographic Primitives" as NIST IR 8214A<ref>{{Cite journal|date=2020-07-07|title=NIST Roadmap Toward Criteria for Threshold Schemes for Cryptographic Primitives|url=https://csrc.nist.gov/publications/detail/nistir/8214a/final|access-date=2021-09-19|website=Computer Security Resource Center|publisher=NIST|doi=10.6028/NIST.IR.8214A |language=en-US|last1=Brandão |first1=Luís T. A. N. |last2=Davidson |first2=Michael |last3=Vassilev |first3=Apostol |doi-access=free}}</ref>. In August 2022, NIST published an initial public draft for "Notes on Threshold EdDSA/Schnorr Signatures" as NIST IR 8214B.<ref>{{Cite journal|date=2022-12-08|title=Notes on Threshold EdDSA/Schnorr Signatures|url=https://csrc.nist.gov/pubs/ir/8214/b/ipd|access-date=2025-10-21|website=Computer Security Resource Center|publisher=NIST|doi=10.6028/NIST.IR.8214B.ipd |language=en-US|last1=Brandão |first1=Luís T. A. N. |last2=Davidson |first2=Michael |doi-access=free}}</ref> In January 2023, NIST published an initial public draft for the "NIST First Call for Multi-Party Threshold Schemes" as NIST IR 8214C, followed by a second public draft in March 2025.<ref>{{Cite journal|date=2025-03-27|title=NIST First Call for Multi-Party Threshold Schemes|url=https://csrc.nist.gov/pubs/ir/8214/c/2pd|access-date=2025-10-21|website=Computer Security Resource Center|publisher=NIST|doi=10.6028/NIST.IR.8214C.2pd |language=en-US|last1=Brandão |first1=Luís T. A. N. |last2=Peralta |first2=Rene |doi-access=free}}</ref>

== Threshold signatures ==

In a ''(t,n)'' threshold signature scheme, a signing key is split into ''n'' shares, each share being given to a party. Any subset of at least ''t'' of the ''n'' parties behaving honestly can cooperate to jointly sign a message. On the other hand, every subset of fewer than ''t'' parties cannot forge a signature, even if they collude.

There is a trivial way to create a threshold signature scheme using any signature scheme. Each of the ''n'' parties generates its own secret signing key, and publishes the corresponding verification key. A party willing to sign a message simply signs it with its own individual key, and publishes its signature. A signature for the threshold signature scheme is a concatenation of (at least) ''t'' individual signatures, and can be verified by verifying the individual signatures one by one. The downside of this trivial approach is that the size of the signature and the time needed for verification grows linearly with ''t''. Usually, it is desired that the size of the signature and the time needed for verification are constant in ''t'' and ''n''.

Many existing signature schemes have been thresholdized, notably Schnorr signatures<ref>{{Cite book |last1=Komlo |first1=Chelsea |last2=Goldberg |first2=Ian |title=Selected Areas in Cryptography |chapter=FROST: Flexible Round-Optimized Schnorr Threshold Signatures |date=2021 |editor-last=Dunkelman |editor-first=Orr |editor2-last=Jacobson |editor2-first= Michael J. Jr.|editor3-last=O'Flynn |editor3-first=Colin |chapter-url=https://link.springer.com/chapter/10.1007/978-3-030-81652-0_2 |series=Lecture Notes in Computer Science |volume=12804 |language=en |location=Cham |publisher=Springer International Publishing |pages=34–65 |doi=10.1007/978-3-030-81652-0_2 |isbn=978-3-030-81652-0|s2cid=220794784 }}</ref>, ECDSA<ref>{{Cite web|url=https://eprint.iacr.org/2015/1169.pdf|title=Strength in Numbers: Threshold ECDSA to Protect Keys in the Cloud|last1=Green|first1=Marc|last2=Eisenbarth|first2=Thomas|date=2015 |website=IACR}}</ref><ref>{{Cite conference|chapter-url=https://eprint.iacr.org/2016/013.pdf|chapter=Threshold-optimal DSA/ECDSA signatures and an application to Bitcoin wallet security|last1=Gennaro|first1=Rosario|last2=Goldfeder|first2=Steven|date=2016|last3=Narayanan|first3=Arvind |doi=10.1007/978-3-319-39555-5_9 |title=Applied Cryptography and Network Security |conference=ACNS 2016 }}</ref><ref>{{Cite web|last1=Gągol|first1=Adam|last2=Straszak|first2=Damian|last3=Świętek|first3=Michał|last4=Kula|first4=Jędrzej|year=2019|title=Threshold ECDSA for Decentralized Asset Custody|url=https://eprint.iacr.org/2020/498.pdf |website=IACR}}</ref>, and BLS<ref>{{cite conference|last1 = Bacho|first1 = Renas|last2 = Loss|first2 = Julian|title = On the Adaptive Security of the Threshold BLS Signature Scheme|book-title = Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS '22)|publisher = Association for Computing Machinery|location = Los Angeles, CA, USA|pages = 193–207|year = 2022|isbn = 9781450394505|doi = 10.1145/3548606.3560656|url = https://doi.org/10.1145/3548606.3560656}}</ref>.

== Threshold decryption ==

Similarly to threshold signatures, public-key encryption schemes can be thresholdized, so that at least ''t'' parties must cooperate to decrypt a message.

Such threshold versions have been defined by the above and for the following schemes:

* Damgård–Jurik cryptosystem<ref>Ivan Damgård, Mads Jurik: [http://www.brics.dk/RS/03/16/index.html A Length-Flexible Threshold Cryptosystem with Applications]. ACISP 2003: 350-364</ref><ref>Ivan Damgård, Mads Jurik: [http://www.brics.dk/RS/00/45/ A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System]. Public Key Cryptography 2001: 119-136</ref> * ElGamal * Paillier cryptosystem<ref>{{Cite book |last1=Nishide |first1=Takashi |last2=Sakurai |first2=Kouichi |title=Information Security Applications |chapter=Distributed Paillier Cryptosystem without Trusted Dealer |date=2011 |editor-last=Chung |editor-first=Yongwha |editor2-last=Yung |editor2-first=Moti |chapter-url=https://link.springer.com/chapter/10.1007/978-3-642-17955-6_4 |series=Lecture Notes in Computer Science |volume=6513 |language=en |location=Berlin, Heidelberg |publisher=Springer |pages=44–60 |doi=10.1007/978-3-642-17955-6_4 |isbn=978-3-642-17955-6}}</ref> * RSA

== See also == * Broadcast encryption * Distributed key generation * Secret sharing * Secure multi-party computation * Shamir's Secret Sharing * Threshold (disambiguation)

==References== {{Reflist}}

{{Cryptography navbox|public-key}}

Category:Public-key cryptography