# Rosario Gennaro's research while affiliated with Protocol Labs and other places

**What is this page?**

This page lists the scientific contributions of an author, who either does not have a ResearchGate profile, or has not yet added these contributions to their profile.

It was automatically created by ResearchGate to create a record of this author's body of work. We create such pages to advance our goal of creating and maintaining the most comprehensive scientific repository possible. In doing so, we process publicly available (personal) data relating to the author as a member of the scientific community.

If you're a ResearchGate member, you can follow this page to keep up with this author's work.

If you are this author, and you don't want us to display this page anymore, please let us know.

It was automatically created by ResearchGate to create a record of this author's body of work. We create such pages to advance our goal of creating and maintaining the most comprehensive scientific repository possible. In doing so, we process publicly available (personal) data relating to the author as a member of the scientific community.

If you're a ResearchGate member, you can follow this page to keep up with this author's work.

If you are this author, and you don't want us to display this page anymore, please let us know.

## Publications (152)

We present Testudo, a new FFT-less SNARK with a near linear-time prover, constant-time verifier, constant-size proofs and a square-root-size universal setup. Testudo is based on a variant of Spartan [28]–and hence does not require FFTs–as well as a new, fast multivariate polynomial commitment scheme (PCS) with a square-root-sized trusted setup that...

Vector Commitments allow one to (concisely) commit to a vector of messages so that one can later (concisely) open the commitment at selected locations. In the state of the art of vector commitments, algebraic constructions have emerged as a particularly useful class, as they enable advanced properties, such as stateless updates, subvector openings...

Offline deniability is the ability to a posteriori deny having participated in a particular communication session. This property has been widely assumed for the Signal messaging application, yet no formal proof has appeared in the literature. In this paper, we present what we believe is the first formal study of the offline deniability of the Signa...

Perceptual hashing allows the computation of a robust fingerprint of media files, such that the fingerprint can be used to detect the same object even if it has been modified in perceptually non-significant ways (e.g., compression). The robustness of such functions relies on the use of secret keys both during the computation and the detection phase...

Recently Gennaro et al. (ACNS ’16) presented a threshold-optimal signature algorithm for DSA. Threshold-optimality means that if security is set so that it is required to have \(t+1\) servers to cooperate to sign, then it is sufficient to have \(n=t+1\) honest servers in the network. Obviously threshold optimality compromises robustness since if \(...

This paper initiates a study of Fine Grained Secure Computation: i.e. the construction of secure computation primitives against “moderately complex” adversaries. We present definitions and constructions for compact Fully Homomorphic Encryption and Verifiable Computation secure against (non-uniform) \(\mathsf {NC}^1\) adversaries. Our results do not...

A threshold signature scheme enables distributed signing among n players such that any subgroup of size $t+1$ can sign, whereas any group with t or fewer players cannot. While there exist previous threshold schemes for the ECDSA signature scheme, we are the first protocol that supports multiparty signatures for any $t łeq n$ with an efficient deale...

Zero-knowledge SNARKs (zk-SNARKs) are non-interactive proof systems with short and efficiently verifiable proofs. They elegantly resolve the juxtaposition of individual privacy and public trust, by providing an efficient way of demonstrating knowledge of secret information without actually revealing it. To this day, zk-SNARKs are being used for del...

Zero Knowledge Contingent Payment (ZKCP) protocols allow fair exchange of sold goods and payments over the Bitcoin network. In this paper we point out two main shortcomings of current proposals for ZKCP, and propose ways to address them.
First we show an attack that allows a buyer to learn partial information about the digital good being sold, with...

A recent breakthrough by Boyle et al. [7] demonstrated secure function evaluation protocols for branching programs, where the communication complexity is sublinear in the size of the circuit (indeed just linear in the size of the inputs, and polynomial in the security parameter). Their result is based on the Decisional Diffie-Hellman assumption (DD...

We present new protocols for the verification of space bounded polytime computations against a rational adversary. For such computations requiring sublinear space our protocol requires only a verifier running in sublinear-time. We extend our main result in several directions: (i) we present protocols for randomized complexity classes, using a new c...

Onion routing protocols allow users to establish anonymous channels to preserve their privacy over a public network. Several protocols implementing this primitive have been proposed in recent years, and The onion routing network (Tor), a real-life implementation, provides an onion routing service to thousands of users over the Internet. This paper...

While threshold signature schemes have been presented before, there has never been an optimal threshold signature algorithm for DSA. The properties of DSA make it quite challenging to build a threshold version. In this paper, we present a threshold DSA scheme that is efficient and optimal. We also present a compelling application to use our scheme:...

We show that Rational Proofs do not satisfy basic compositional properties in the case where a large number of “computation problems” are outsourced. We show that a “fast” incorrect answer is more remunerable for the prover, by allowing him to solve more problems and collect more rewards. We present an enhanced definition of Rational Proofs that re...

In this paper we introduce the notion of Algebraic (Trapdoor) One Way Functions, which, roughly speaking, captures and formalizes many of the properties of number-theoretic one-way functions. Informally, a (trapdoor) one way function F:X→Y is said to be algebraic if X and Y are (finite) abelian cyclic groups, the function is homomorphic i.e. F(x)⋅F...

We study the task of verifiable delegation of computation on encrypted data. We improve previous definitions in order to tolerate adversaries that learn whether or not clients accept the result of a delegated computation. In this strong model, we construct a scheme for arbitrary computations and highly efficient schemes for delegation of various cl...

The IEEE 802.11 protocols are used by millions of smartphone and tablet devices to access the Internet via Wi-Fi wireless networks or communicate with one another directly in a peer-to-peer mode. Insider attacks are those originating from a trusted node that had initially passed all the authentication steps to access the network and then got compro...

Homomorphic MACs, introduced by Gennaro and Wichs in 2013, allow anyone to validate computations on authenticated data without knowledge of the secret key.Moreover, the secret-key owner can verify the validity of the computation without needing to know the original (authenticated) inputs. Beyond security, homomorphic MACs are required to produce sh...

We investigate the relationship between functional encryption (FE) and fully homomorphic encryption (FHE), demonstrating that, under certain assumptions, a Functional Encryption scheme supporting evaluation on two ciphertexts implies fully homomorphic encryption. We first introduce the notion of randomized functional encryption (RFE), a generalizat...

We define and construct a new primitive called a fully homomorphic message authenticator. With such scheme, anybody can perform arbitrary computations over authenticated data and produce a short tag that authenticates the result of the computation (without knowing the secret key). This tag can be verified using the secret key to ensure that the cla...

The notion of off-line/on-line digital signature scheme was introduced by Even, Goldreich and Micali. Informally such signatures schemes are used to reduce the time required to compute a signature using some kind of preprocessing. Even, Goldreich and Micali show how to realize off-line/on-line digital signature schemes by combining regular digital...

A mechanism is provided for establishing a shared secret-key for secure communication between nodes in a wireless network. A first node in the wireless network provides a spreading code to a second node of the wireless network. The second node provides a first input for the key establishment to the first node using communication encoded with the sp...

A long-standing open problem in cryptography is proving the existence of (deterministic) hard-core predicates for the Diffie-Hellman problem defined over finite fields. In this paper, we make progress on this problem by defining a very natural variation of the Diffie-Hellman problem over \(\mathbb{F}_{p^2}\) and proving the unpredictability of ever...

We introduce a new characterization of the NP complexity class, called Quadratic Span Programs (QSPs), which is a natural extension of span programs defined by Karchmer and Wigderson. Our main motivation is the quick construction of succinct, easily verified arguments for NP statements.
To achieve this goal, QSPs use a new approach to the well-know...

A pairwise key-agreement scheme is provided for creating key agreements non-interactively between pairs of nodes disposed in a hierarchy of nodes. The scheme is non-interactive so that any two nodes can agree on a shared secret key without interaction. In addition, the scheme is identity-based so that any given node only needs to know the identity...

In this paper we introduce the notion of Algebraic (Trapdoor) One Way Functions, which, roughly speaking, captures and formalizes many of the properties of number-theoretic one-way functions. Informally, a (trapdoor) one way function F: X → Y is said to be algebraic if X and Y are (finite) abelian cyclic groups, the function is homomorphic i.e. F(x...

This paper presents the Generalized Randomized Iterate of a (regular) one-way function f and show that it can be used to build Universal One-Way Hash Function (UOWHF) families with O(n
2) key length.
We then show that Shoup’s technique for UOWHF domain extension can be used to improve the efficiency of the previous construction. We present the Reus...

Outsourced computations (where a client requests a server to perform some computation on its behalf) are becoming increasingly important due to the rise of Cloud Computing and the proliferation of mobile devices. Since cloud providers may not be trusted, a crucial problem is the verification of the integrity and correctness of such computation, pos...

We discuss the relationship between ID-based key agreement protocols, certificateless encryption and ID-based key encapsulation mechanisms. In particular we show how in some sense ID-based key agreement is a primitive from which all others can be derived. In doing so we focus on distinctions between what we term pure ID-based schemes and non-pure s...

We study the problem of computing on large datasets that are stored on an untrusted server. We follow the approach of amortized verifiable computation introduced by Gennaro, Gentry, and Parno in CRYPTO 2010. We present the first practical verifiable computation scheme for
high degree polynomial functions. Such functions can be used, for example, to...

In this paper we put forward a new onion routing protocol which achieves forward secrecy in a fully non-interactive fashion, without requiring any communication from the router and/or the users and the service provider to update time-related
keys. We compare this to TOR which requires O(n
2) rounds of interaction to establish a circuit of size n. I...

Computational extractors are efficient procedures that map a source of sufficiently high min-entropy to an output that is computationally indistinguishable from uniform. By relaxing the statistical closeness property of traditional randomness extractors one hopes to improve the efficiency and entropy parameters of these extractors, while keeping th...

We discuss the relationship between ID-based key agree- ment protocols, certicateless encryption and ID-based key encapsula- tion mechanisms. In particular we show how in some sense ID-based key agreement is a primitive from which all others can be derived. In doing so we focus on distinctions between what we term pure ID-based schemes and non-pure...

We introduce and formalize the notion of Verifiable Computation, which enables a computationally weak client to “outsource” the computation of a function F on various dynamically-chosen inputs x
1,...,x
k
to one or more workers. The workers return the result of the function evaluation, e.g., y
i
= F(x
i
), as well as a proof that the computation of...

This paper investigates the question of whether a key agreement protocol with the same communication complexity as the original
Diffie-Hellman protocol (DHP) (two messages with a single group element per message), and similar low computational overhead, can achieve forward secrecy against active attackers
in a provable way. We answer this question...

Network coding offers the potential to increase throughput and improve robustness without any centralized control. Unfortunately, network coding is highly susceptible to “pollution attacks” in which malicious nodes modify packets improperly so as to prevent message recovery at the recipient(s); such attacks cannot be prevented using standard end-to...

This paper presents an efficient protocol for securely computing the fundamental problem of pattern matching. This problem is defined in the two-party setting, where party P
1 holds a pattern and party P
2 holds a text. The goal of P
1 is to learn where the pattern appears in the text, without revealing it to P
2 or learning anything else about P
2...

This paper presents a new identity based key agreement protocol. In id-based cryptography (introduced by Adi Shamir in [29]) each party uses its own identity as public key and receives his secret key from a master Key Generation Center, whose public parameters are publicly known.
The novelty of our protocol is that it can be implemented over any cy...

This paper presents efficient protocols for securely computing the following two problems: (1) The fundamental problem of pattern matching. This problem is defined in the two-party setting, where party \(P_1\) holds a pattern and party \(P_2\) holds a text. The goal of \(P_1\) is to learn where the pattern appears in the text, without revealing it...

This paper presents a new identity based key agreement protocol. In id-based cryptography (introduced by Adi Shamir in [34]) each party uses its own identity as public key and receives his secret key from a master Key Generation Center, whose public parameters are publicly known.
The novelty of our protocol is that it can be implemented over any cy...

We present a new encryption scheme which is secure against adaptive chosen-ciphertext attack (or CCA2-secure) in the standard model (i.e., without the use of random oracle). Our scheme is a hybrid one: it first uses a public-key step (the Key Encapsulation Module or KEM) to encrypt a random key, which is then used to encrypt the actual message usin...

Onion routing protocols allow users to establish anonymous channels to preserve their privacy over a public network. Several protocols implementing this primitive have been proposed in recent years, and TOR, a real-life implementation, provides an onion routing service to thousands of users over the internet. This paper presents Certificateless Oni...

We address the practice of key-wrapping, where one symmetric cryptographic key is used to encrypt another. This practice is used extensively in key-management architectures, often to create an “adapter layer” between incompatible legacy systems. Although in principle any secure encryption scheme can be used for key wrapping, practical constraints (...

This paper presents a novel framework for the generic construction of hybrid encryption schemes which produces more efficient
schemes than the ones known before. A previous framework introduced by Shoup combines a key encapsulation mechanism (KEM)
and a data encryption mechanism (DEM). While it is sufficient to require both components to be secure...

Key agreement is a fundamental security functionality by which pairs of nodes agree on shared keys to be used for protecting their pairwise communications. In this work we study key-agreement schemes that are well-suited for the mobile network environment. Specifically, we describe schemes with the following characteristics:
Non-interactive: any tw...

One of the main challenges in RFIDs is the design of privacy-preserving authentication protocols. Indeed, such protocols should not only allow legitimate readers to authenticate tags but also protect these latter from privacy-violating attacks, ensuring their anonymity and untraceability: an adversary should not be able to get any information that...

We consider the use of threshold signatures in ad-hoc and dynamic groups such as MANETs ("mobile ad-hoc networks"). While the known threshold RSA signature schemes have several properties that make them good candidates for deployment in these scenarios, none of these schemes seems prac- tical enough for realistic use in these highly-constrained env...

This paper presents some theoretical and experimental results about off-line/on-line digital signatures. The goal of this type of schemes is to reduce the time used to compute a signature using some kind of preprocessing. They were introduced by Even, Goldreich and Micali and constructed by combining regular digital signatures with efficient one-ti...

This paper presents an improved password-based authenticated key exchange protocol in the common reference string model. Its security proof requires no idealized assumption (such as random oracles). The protocol is based on the GL framework introduced by Gennaro and Lindell, which generalizes the KOY key exchange protocol of Katz et al. Both the KO...

We present the first undeniable signatures scheme based on RSA. Since their introduction in 1989 a significant amount of work has been devoted to the investigation of undeniable signatures. So far, this work has been based on discrete log systems. In contrast, our scheme uses regular RSA signatures to generate undeniable signatures. In this new set...

A Distributed Key Generation (DKG) protocol is an essential component of threshold cryptosystems required to initialize the
cryptosystem securely and generate its private and public keys. In the case of discrete-log-based (dlog-based) threshold signature
schemes (ElGamal and its derivatives), the DKG protocol is further used in the distributed sign...

At PKC 2006 Crutchfield, Molnar, Turner and Wagner pro- posed a generic threshold version of on-line/o-line signature schemes based on the "hash-sign-switch" paradigm introduced by Shamir and Tauman. Such a paradigm strongly relies on chameleon hash functions which are collision-resistant functions, with a secret trapdoor which actu- ally allows to...

This paper presents an improved password-based authenticated key exchange protocol in the common reference string model. Its security proof requires no idealized assumption (such as random oracles).
The protocol is based on the GL framework introduced by Gennaro and Lindell, which generalizes the KOY key exchange protocol of Katz et al. Both the KO...

At Crypto 96 Cramer and Damgård proposed an efficient, tree-based, signature scheme that is provably secure against adaptive chosen message attacks under the assumption that inverting RSA is computationally infeasible.
In this paper we show how to modify their basic construction in order to achieve a scheme that is provably secure under the assumpt...

We extend the denitional work of Dwork, Naor and Sahai from deniable authentication to deniable key-exchange protocols. We then use these denitions to prove the deniability features of SKEME and SIGMA, two natural and ecient protocols which serve as basis for the Internet Key Exchange (IKE) protocol. The two protocols require distinct approaches to...

We present two protocols for threshold password authenticated key exchange. In this model for password authentication, the password is not stored in a single authenticating server but rather shared among a set of n servers so that an adversary can learn the password only by breaking into t+1 of them. The protocols require n>3t servers to work.The g...

We present a new efficient paradigm for signing digital streams. The problem of signing digital streams to prove their authenticity
is substantially different from the problem of signing regular messages. Traditional signature schemes are message oriented
and require the receiver to process the entire message before being able to authenticate its s...

We define and construct Independent Zero-Knowledge Sets (ZKS) protocols. In a ZKS protocols, a Prover commits to a set S, and for any x, proves non-interactively to a Verifier if x ∈S or x ∉S without revealing any other information about S. In the independent ZKS protocols we introduce, the adversary is prevented from successfully correlate her set...

In his well-known Information Dispersal Algorithm paper, Rabin showed a way to distribute information among n processors in such a way that recovery of the information is possible in the presence of up to t inactive processors. An enhanced mechanism to enable construction in the presence of malicious faults, which can intentionally modify their sha...

Although more formal definitions of randomness exist, a colloquial one will suffice here: a random process is one whose consequences are unknown. Intuitively, this is why randomness is crucial in cryptographic applications - because it provides a way to create information that an adversary can't learn or predict. It's then the task of a good protoc...

Deniable Authentication protocols allow a Sender to authenticate a message for a Receiver, in a way that the Receiver cannot
convince a third party that such authentication (or any authentication) ever took place.
We present two new approaches to the problem of deniable authentication. The novelty of our schemes is that they do not require
the use...

At the 2004 Workshop on Privacy in the Electronic Society (WPES), Borisov, Goldberg and Brewer, presented "Off the Record Messaging" (OTR), a protocol designed to add end-to-end security and privacy to Instant Messaging protocols. An open-source implementation of OTR is available and has achieved considerable success.In this paper we present a secu...

This paper presents a novel framework for generic construction of hybrid encryption schemes secure against chosen ciphertext attack. Our new framework yields new and more efficient CCA-secure schemes, and provides insightful explanations about existing schemes that do not fit into the previous frameworks. This could result in finding future improve...

Distributed key generation is a main component of threshold cryptosystems and distributed cryptographic computing in general.
Solutions to the distributed generation of private keys for discrete-log based cryptosystems have been known for several years
and used in a variety of protocols and in many research papers. However, these solutions fail to...

R. Cramer and I. M. Damgård [Lect. Notes Comput. Sci. 1109, 173–185 (1996)] proposed an efficient, tree-based, signature scheme that is provably secure against adaptive chosen message attacks under the assumption that inverting RSA is computationally infeasible. In this paper we show how to modify their basic construction in order to achieve a sche...

A central focus of modern cryptography is the construction of efficient, "high-level" cryptographic tools (e.g., encryption schemes) from weaker, "low-level" cryptographic primitives (e.g., one-way functions). Of interest are both the existence of such construc- tions, and also their efficiency. Here, we show essentially-tight lower bounds on the b...

We present a batch version of Schnorr’s identification scheme. Our scheme uses higher degree polynomials that enable the execution of several Schnorr’s protocol at a cost very close to that of a single execution. We present a full proof of security that our scheme is secure against impersonation attacks.
The main application of this result is a ver...

We study the suitability of common pseudorandomnessmodes associated with cryptographic hash functions and block ciphers (CBC-MAC, Cascade and HMAC) for the task of “randomness extraction”, namely, the derivation of keying material from semi-secret and/or semi-random sources. Important applications for such extractors include the derivation of stron...

A central focus of modern cryptography is the construction of e#cient, "high-level" cryptographic tools (e.g., encryption schemes) from weaker, "low-level" cryptographic primitives (e.g., one-way functions). Of interest are both the existence of such constructions, and also their e#ciency.

We introduce the notion of multi-trapdoor commitmentswhich is a stronger form of trapdoor commitment schemes. We then construct two very efficient instantiations of multi-trapdoor commitment schemes, one based on the Strong RSA Assumption and the other on the Strong Diffie-Hellman Assumption.
The main application of our new notion is the constructi...

We show that in applications that use the Die-Hellman (DH) transform but take care of hashing the DH output (as required, for example, for secure DH-based encryption and key exchange) the usual requirement to work over a DDH group (i.e., a group in which the Decisional Die-Hellman assumption holds) can be relaxed to only requiring that the DH group...

The Diffie-Hellman (DH) transform is a basic cryptographic primitive used in innumerable cryptographic applications, most prominently in discrete-log based encryption schemes and in the Diffie-Hellman key exchange. In many of these applications it has been recognized that the direct use of the DH output, even over groups that satisfy the strong Dec...

Traditionally, secure cryptographic algorithms provide security against an adversary who has only black-box access to the secret information of honest parties. However, such models are not always adequate. In particular, the security of these algorithms may completely break under (feasible) attacks that tamper with the secret key.
In this paper we...

Recently, Kurosawa and Desmedt presented a new hybrid encryption scheme which is secure against adaptive chosen-ciphertext attack. Their scheme is a modification of the Cramer-Shoup encryption scheme. Its major advantage with respect to Cramer- Shoup is that it saves the computation of one exponentiation and produces shorter ciphertexts. However, t...

We present two protocols for threshold password authenticated key exchange. In this model for password authentication, the password is not stored in a single authenticating server but rather shared among a set of n servers so that an adversary can learn the password only by breaking into t + 1 of them. The protocols require n > 3t servers to work.

A central focus of modern cryptography is to investigate the weakest possible assumptions under which various cryptographic algorithms exist. Typically, a proof that a "weak" primitive (e.g., a one-way function) implies the existence of a "strong" algorithm (e.g., a private-key encryption scheme) proceeds by giving an explicit construction of the l...

A central focus of modern cryptography is to investigate the weakest possible assumptions under which various cryptographic algorithms exist. Typically, a proof that a "weak" primitive (e.g., a one-way function) implies the existence of a "strong" algorithm (e.g., a private-key encryption scheme) proceeds by giving an explicit construction of the l...

We present a new protocol for the following task. Given tow secrets a; b shared among n players, compute the value g .

In this paper we present a general framework for password-based authenticated key exchange protocols, in the common reference string model. Our protocol is actually an abstraction of the key exchange protocol of Katz et al. and is based on the recently introduced notion of smooth projective hashing by Cramer and Shoup. We gain a number of benefits...

A Distributed Key Generation (DKG)p rotocol is an essential component of any threshold cryptosystem. It is used to initialize the cryptosystem and generate its private and public keys, and it is used as a subprotocol, for example to generate a one-time key pair which is a part of any threshold El-Gamal-like signature scheme. Gennaro et al. showed [...

We present two protocols for threshold password authenticated key exchange. In this model, the password is not stored in a
single authenticating server but rather shared among a set of n servers so that an adversary can learn the password only by breaking into t+1 of them. The protocols require n > 3t servers to work.
The goal is to protect the pa...

Secrecy of private signing keys is one of the most important issues in secure electronic commerce. A promising solution to this problem is to distribute the signing function among multiple parties. However, a threshold signature scheme typically assumes that the shared signing function can only be activated by a quorum number of parties, which is i...

A Distributed Key Generation (DKG) protocol is an essential component of any threshold cryptosystem. It is used to initialize the cryptosystem and generate its private and public keys, and it is used as a subprotocol, for example to generate a one-time key pair which is a part of any threshold El-Gamal-like signature scheme. Gennaro et al. showed [...

For the most compelling applications of threshold cryptosystems, security against chosen cipher text attack is a requirement. However, prior to the results presented here, there appeared to be no practical threshold cryptosystems in the literature that were provably chosen ciphertext secure, even in the idealized random oracle model. The contributi...

Substantial efiorts have been spent on characterizing the round complexity of various cryptographic tasks. In this work we study the round complexity of secure multiparty computation in the presence of an active (Byzantine) adversary, assuming the availability of secure point-to-pointchannelsandabroadcastprimitive.Itwasrecentlyshown that in this se...

A central focus of modern cryptography is to investigate the weakest possible assumptions under which various cryptographic algorithms exist. Typically, a proof that a "weak" primitive (e.g., a one-way function) implies the existence of some "strong" algorithm (e.g., a private-key encryption scheme) proceeds by giving an explicit construction of th...

## Citations

... There is a large body of prior work on multi-party ECDSA signing [31,62,23,4,24,19,49,42,41,20]. However, existing protocols are orders of magnitude more costly than the one we present here [62,42,41,19,20]. ...

... In particular, to maintain Signal's deniability of the initial key agreement (cf. [25]), signatures can be generated using designated-verifier or 2-user ring signatures [14,19], similarly to their deployment in recent proposals for Signal-like deniable key exchanges [23,24,12,3]. ...

... perceived as similar by the human eye) generate highly correlated hashes. In this case, an efficient perceptual hashing technique should be able to detect that an image has been derived from another one in a way to remain perceptually similar, even their corresponding files are substantially different [2]. It is meant here by two visually similar images that one image is derived from another via the commonly used content-preserving image manipulations. ...

... Meanwhile, availability is no less important. Combining both security features requires a t-out-of-n threshold signature scheme, which (t, n)-secret-shares private signing key to n parties -any t out of n signers can sign without reconstructing the private key to ensure availability, while forgery would be impossible even if a (t − 1)-adversary [3] compromised (t − 1) signers. ...

Reference: Real Threshold ECDSA

... Nevertheless, they all arise from an underlying characterisation of the complexity class NP as a specification of an NP-complete problem with specific advantageous properties. A popular starting point for many of the most influential SNARKs [59,85,46,72,60] has been the NP-complete decision problem circuit satisfiability (Circ-SAT). Many of the mentioned SNARKs for circuit satisfiability are based on the characterisation of quadratic span programs and quadratic arithmetic programs introduced by Gennaro et al. in [59]. ...

... Multi-signatures can also be viewed as a special form of threshold signatures where the number of threshold is equal to the number of all signers. Since the ECDSA scheme is a standard signature scheme that is widely used in cryptocurrency such as Bitcoin, many studies have been conducted to convert the ECDSA scheme into an efficient threshold ECDSA scheme [19][20][21][22]. Recently, efficient TS schemes have been proposed by modifying Schnorr signatures [23][24][25]. ...

... Sahai and Waters (2005) formally introduced the threshold policy. In threshold schemes, t-out-of-l can reconstruct a secret key (while less than t is impossible) (Boneh et al. 2018). ...

... Another important branch of escrow services on blockchains is the exchange of a digital good for payment in electronic commerce. Goldfeder et al. (2017) utilize a multi-signature based on the (t, n) threshold cryptosystem to develop escrow services for Bitcoin transactions in untrusted environments. In Asgaonkar et al. (2019), the researchers present a dual-deposit escrow trade protocol for Ethereum which uses double-sided payment deposits in conjunction with simple cryptographic primitives. ...