In threshold cryptography, private keys are divided into n shares, each one of which is given to a different server in order to avoid single points of failure. In the case of threshold public-key encryption, at least t≤n\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$t \le n$$\end{document} servers need to contribute to the decryption process. A threshold primitive is said robust if no coalition of t malicious servers can prevent remaining honest servers from successfully completing private key operations. Non-interactive schemes, considered the most practical ones, allow servers to contribute to decryption without interactions. So far, most non-interactive threshold cryptosystems were only proved secure against static corruptions. In the adaptive corruption scenario (where the adversary can corrupt servers at any time, based on its complete view), all existing robust threshold encryption schemes that also resist chosen-ciphertext attacks till recently require interaction in the decryption phase. A very specific method (in composite order groups) for getting rid of interaction was recently suggested, leaving the question of more generic frameworks and constructions with better security and, in particular, better flexibility (i.e., compatibility with distributed key generation). This paper advances the state of the art and describes a general construction of adaptively secure robust non-interactive threshold cryptosystems with chosen-ciphertext security. We define the novel notion of all-but-one perfectly sound threshold hash proof systems that can be seen as (threshold) hash proof systems with publicly verifiable and simulation-sound proofs. We show that this notion generically implies threshold cryptosystems combining the aforementioned properties. Then, we provide efficient instantiations under well-studied assumptions in bilinear groups (e.g., in such groups of prime order). These instantiations have a tighter security proof in the single-challenge setting and are indeed compatible with distributed key generation protocols.

中文翻译：

---

自适应安全非交互式 CCA-安全阈值密码系统：通用框架和构造

在阈值密码学中，私钥被分成 n 份，每份都分配给不同的服务器以避免单点故障。在阈值公钥加密的情况下，至少 t≤n\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage {mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$t \le n$$\end{document} 服务器需要参与解密过程。如果没有恶意服务器的联盟可以阻止剩余的诚实服务器成功完成私钥操作，则称阈值原语是稳健的。非交互式方案，被认为是最实用的方案，允许服务器在没有交互的情况下为解密做出贡献。迄今为止，大多数非交互式阈值密码系统仅被证明对静态损坏是安全的。在自适应损坏场景中（攻击者可以根据其完整视图随时损坏服务器），直到最近，所有现有的还可以抵抗选择密文攻击的稳健阈值加密方案都需要在解密阶段进行交互。最近提出了一种用于摆脱交互的非常具体的方法（在复合顺序组中），留下了具有更好安全性，特别是更好的灵活性（即与分布式密钥生成的兼容性）的更通用框架和结构的问题。本文推进了现有技术，并描述了具有选择密文安全性的自适应安全鲁棒非交互式阈值密码系统的一般构造。我们定义了一个完美的阈值哈希证明系统的新概念，可以将其视为具有可公开验证和模拟声音证明的（阈值）哈希证明系统。我们表明，这个概念一般意味着结合上述特性的阈值密码系统。然后，我们在双线性群（例如，素数阶的群）中在充分研究的假设下提供有效的实例化。这些实例在单挑战设置中具有更严格的安全证明，并且确实与分布式密钥生成协议兼容。然后，我们在双线性群（例如，素数阶的群）中在充分研究的假设下提供有效的实例化。这些实例在单挑战设置中具有更严格的安全证明，并且确实与分布式密钥生成协议兼容。然后，我们在双线性群（例如，素数阶的群）中在充分研究的假设下提供有效的实例化。这些实例在单挑战设置中具有更严格的安全证明，并且确实与分布式密钥生成协议兼容。