The security of a public key cryptosystem can be enhanced by distributing secret keys among a number of decryption servers: the threshold encryption approach. In EUROCRYPT 2005, Abe et al. showed that the secure threshold key encapsulation mechanism with a tag (threshold Tag-KEM) immediately yields secure threshold encryption; we only have to construct threshold Tag-KEM to construct threshold encryption. In this paper, we propose a construction of CCA-secure threshold Tag-KEM from threshold KEM (without a tag) that achieves one-wayness by utilizing a signature scheme with tight security reduction. Through our construction, we show the first instantiation of CCA-secure threshold encryption whose ciphertext-size and encryption-cost are independent of the number of servers under the RSA assumption in the random oracle model.
展开▼