CryptoDB
Context-Dependent Threshold Decryption and its Applications
| Authors: |
|
|---|---|
| Download: | |
| Conference: | ASIACRYPT 2025 |
| Abstract: | In a threshold decryption system a secret key is split across a number of parties so that any threshold of them can decrypt a given ciphertext. We introduce a new concept in threshold decryption called a {\em decryption context}, which is an additional argument that is used during decryption. The context ensures that decryption shares that are generated for a ciphertext using different contexts are isolated from each other and cannot be jointly used to decrypt the ciphertext. For example, suppose the decryption threshold is~$t$. Further, suppose that less than~$t$ decryption shares are generated for a ciphertext~$c$ under one context, and less than~$t$ decryption shares are generated for~$c$ under a different context. Then this set of shares is insufficient to decrypt~$c$ even if the total number of shares exceeds~$t$. This new concept has several important applications, most notably for implementing an encrypted mempool in a consensus protocol. We give two CCA-secure threshold decryption constructions that support context. One is based on ElGamal encryption, and the other is generic showing how to add context to any CCA-secure threshold decryption system without changing the encryption algorithm. |
BibTeX
@inproceedings{asiacrypt-2025-36031,
title={Context-Dependent Threshold Decryption and its Applications},
publisher={Springer-Verlag},
author={Dan Boneh and Benedikt Bünz and Kartik Nayak and Lior Rotem and Victor Shoup},
year=2025
}