# README
RSA Threshold Signatures
This is an implementation of "Practical Threshold Signatures" by Victor Shoup. Protocol 1 is implemented.
Threshold Primer
Let l be the total number of players, t be the number of corrupted players, and k be the threshold. The idea of threshold signatures is that at least k players need to participate to form a valid signature.
Setup consists of a dealer generating l key shares from a key pair and "dealing" them to the players. In this implementation the dealer is trusted.
During the signing phase, at least k players use their key share and the message to generate a signature share. Finally, the k signature shares are combined to form a valid signature for the message.
Modifications
- Our implementation is not robust. That is, the corrupted players can prevent a valid signature from being formed by the non-corrupted players. As such, we remove all verification.
- The paper requires p and q to be safe primes. We do not.
# Functions
CombineSignShares combines t SignShare's to produce a valid signature.
Deal takes in an existing RSA private key generated elsewhere.
GenerateKey generates a RSA keypair for its use in RSA threshold signatures.
PadHash MUST be called before signing a message.
# Structs
KeyShare represents a portion of the key.
PSSPadder is a padder for RSA Probabilistic Padding Scheme (RSA-PSS) used in TLS 1.3
Note: If the salt length is non-zero, PSS padding is not deterministic.
SignShare represents a portion of a signature.