Journal of Computational Information Systems 11: 3 (2015) 975986

Available at http://www.Jofcis.com

A CRT-based (t, n) Threshold Signature Scheme Without

a Dealer ?
Zhengfeng HOU, Mengna TAN
School of Computer and Information, Hefei University of Technology, Hefei 230009, China

Abstract
We propose a CRT-based threshold signature scheme without a dealer. To ensure the security and
robustness of the scheme, no dealer is required and all the participants cooperate to generate the group
public key. So nobody can get the group private key. The participants honesty can be tested by verifying
the share shadows. Each participant generates the partial signature base on CRT independently using
his own secret share. The group signature can be synthesized by t or more partial signatures without
leaking any information about the group private key, which ensures the group private keys reusability.
We modify the signature equation of ElGamal signature scheme to ensure the correctness of signature
verification. The experiments show that our scheme has less time complexity than Harns scheme.
Keywords: Secret Share; ElGamal Signature; Without a Dealer; CRT

Introduction

Secret sharing scheme was first proposed by Shamir [1] and Blakley [2] respectively in which a
dealer shares a secret among participants and only t or more participants can recover the secret.
In 1983, Asmuth and Bloom [3] put forward a threshold secret sharing scheme based on Chinese
Remainder Theorem (CRT), which has less computing complexity than Shamirs scheme. Qiong
et al. [4] and Iftene [5] proposed two CRT-based verifiable secret sharing schemes(VSS) independently, in which a corrupted dealer can still distribute inconsistent shares without detection, such
that different coalitions will obtain different values for the secret, which is called the authority
deceive. In 2008, K. Kaya and A.A. Selcuk [6] proposed a new VSS scheme based on CRT
and proved its security. However, its secret share verification process needs a dealer and is quite
complex. In 2012, literature [7] presented a simple but novel cryptography system which was
based on CRT. The areas of CRT-based secret sharing have been studied extensively in recent
years [8-11], but all of them require a dealer. Literature [13] is a secret sharing scheme without
a dealer based on Blakley and [12, 14, 15] are verifiable secret sharing schemes based on Shamir
and vector space.
?

Project supported by the National Nature Science Foundation of China (No. 61272540).
Corresponding author.
Email address: tanmengna@163.com (Mengna TAN).

15539105 / Copyright 2015 Binary Information Press

DOI: 10.12733/jcis13109
February 1, 2015

976

Z. Hou et al. /Journal of Computational Information Systems 11: 3 (2015) 975986

In 1994, Harn [16] proposed a threshold signature scheme without a dealer which is based on
Lagrange interpolation. So far, the majority of existing threshold signature schemes are based
on Lagrange interpolation [17, 18, 19] and there are few studies on verifiable threshold signature
without a dealer based on CRT.
This paper proposes a new verifiable CRT-based threshold signature scheme without a dealer.
Each participant cooperates with the other participants to generate the secret shares and the
group public key (the group private key is also generated implicitly). The partial signatures are
generated based on CRT by using the secret shares. The group signature can be synthesized
by t partial signatures instead of using the group private key directly, so the group private key
will not be revealed in the signing process. Anybody can use the group public key to verify the
group signature. We modify the signature equation of ElGamal signature scheme to ensure the
correctness of signature verification. Our scheme can also identify the mutual cheating among
the participants by verifying the secret share shadows. The experiments show that our scheme
has less time complexity than Harns signature schemes.

Preliminary Works

2.1

ElGamal signature scheme

Key generation phase: Let p and q be large prime numbers, where q = p 1 and let
g Zp be an element of order q. The private key x R Zp is chosen randomly and the
public key y = g x mod p is computed.
Signing phase: Let M Zq is a hashed message. The signer first chooses a random
ephemeral key k, where k R Zp and gcd(k, p). Then computes the signature (r, s), where
r= gk mod ps=k 1 (M xr) mod q

(1)

Verification phase: The signature (r, s) is verified by checking y r rs mod p= gM mod p.

2.2

Harns threshold signature scheme

Harn [16] proposed a threshold signature scheme without a dealer based on Lagrange interpolation.
The scheme is briefly described as follows:
Public keys generating phase:
(1) Each participant randomly selects zi and xi , computes a corresponding public key
yi = g zi mod p. {xi , yi } are the participants
public keys and zi is the participants
Qn
secret key. The group public key y = i=1 yi mod p.
(2) Pi randomly selects a (t 1)th degree polynomial fi (x) with fi (0) = zi mod q. Computes the secret shadow fi (xj ) mod q and the public key yij = g fi (xj ) mod p. Then
sends fi (xj ) to Pj and broadcasts yij (i 6= j).
Signature generation phase: {P1 , P2 , , Pt } denotes involved participants.

Z. Hou et al. /Journal of Computational Information Systems 11: 3 (2015) 975986

977

k
(1) Suppose Pi selects an integer kQ
i , computes ri = gi mod p and broadcasts ri . Once all
t
ri are available, computes r = i=1 ri .
P
Q
k
}h(M ) ki r,
(2) For the message M, Pi computes si = {zi + nj=t+1 fj (xi ) tk=1,k6=i xx
i xk
and sends the partial signature {M, r, s} to the signature synthesizer.
P
(3) The group signature can be generated as {M, r, s}, where s = ti=1 si mod q.

Signature verification phase: If the equation y h(M ) = rr g s mod p holds, the group
signature {M, r, s} is valid.

2.3

Asmuth-bloom secret sharing scheme

Asmuth and Bloom proposed a secret sharing scheme [3] based on CRT. The scheme has two
phases:
Dealing phase: To share a secret S among a group of n participants {P1 , P2 , , Pn }, the
dealer does the following.
(1) A set of relatively
q < d1 < d2 < ... < dn are chosen, where q is a large
Q
Q prime integers
d
prime and N = ti=1 di > q t1
i=1 ni+1 .
(2) The dealer computes z = S + Aq, where 0 A [N/q] 1.
(3) Computes zi = z mod di and sends (zi , di ) to Pi (i = 1, 2, ..., n) as the share of Pi .
Combining phase: Let W =Q
{P1 , P2 , , Pt } be a coalition of t participants gathered to
construct the secret. Let D = ti=1 di .
(1) Pi (i = 1, 2, ..., n) computes si = dDi ei zi mod D, where ei can be achieved by the
formula dDi ei 1(moddi ) (i = 1, 2, ..., n).
P
(2) According to the CRT, the participants compute z = ti=1 si mod D, and then obtain
the secret by computing S = z mod q.
The Asmuth-bloom scheme needs a dealer to distribute the secret shares, which may cause the
authority deceive problem.

Our Scheme

Assume the set of n participants is P = {P1 , P2 , , Pn }, at least t participants join the signing
process. Without loss of generality, we define the t participants as W = {P1 , P2 , , Pt }. The
outline of our scheme is shown in Fig. 1.
As no dealer is required in our scheme, each participant Pi selects a sub-secret to compute his
secret share shadow. Then participants generate their own secret share as well as the group public
key by exchanging secret share shadows rather than distributed by a dealer. In exchanging process,
mutual cheating among participants can be identified by verifying the secret share shadows.
Based on modified ElGamal signature, each participant produces a partial signature for message
M by using his secret share. The group signature can be synthesized by t partial signatures, which

978

Z. Hou et al. /Journal of Computational Information Systems 11: 3 (2015) 975986

Fig. 1: Outline of our scheme

is equivalent to that generating by using the group private key directly. So the group private key
will not be revealed in the signing process. Anybody can verify the group signature by the group
public key.
The scheme comprises four steps: (1) generation and verification of secret shares. (2) Group
key generation. (3) Partial signature generation, and (4) verification of signature.

3.1

Secret shares generation and verification

The public parameters: two large prime numbers p and q, where q is the prime factor of (p 1),
a positive integer sequence d = {d1 , d2 , , dn } and a generating element g in the finite field Zp .
q and d meet the requirements of the Asmuth-Bloom threshold scheme. n, t, p, q, g and d are
public. Message M Zq .
Step 1 Pi (i = 1, 2, , n) secret selects a random number xi as his private key and an integer
Ai which are satisfy the following inequality.
0 < xi < [q/n]


0 Ai < [N/q 2 ] 1 /n.

(2)
(3)

aij = (xi + Ai q) mod dj .

(4)

Pi computes
aij is secret share shadow.
Step 2 Pi sends aij to Pj by secure channel and keeps aii by himself.
Step 3 Pi computes the verification information i , ij (j = 1, 2, , n): i = g xi +Ai q mod p,
ij = (xi + Ai q aij )/dj , ij = g kij mod p, then broadcasts i , ij and g Ai .
To prevent the participants fraud behaviour, after receiving aij from Pi , Pj can verify it with
the following formula
d
((g aij mod p)(ijj mod p)) mod p = i
(5)

Z. Hou et al. /Journal of Computational Information Systems 11: 3 (2015) 975986

979

If aij agrees with Eq. (5), aij is true.

Step 4 After receiving aij from the other participants, Pj computes his secret share yj .
yj =

n
X

aij mod dj .

(6)

i=1

ajj is kept secretly by Pj , so only Pj knows yi .

3.2

Group key generation

Pi (i = 1, 2, , n) broadcasts g xi , then any participant can compute the group public key Y.
Y =

n
Y

g xi mod p.

(7)

i=1

The group private key X is defined as

X=

n
X

xi .

(8)

i=1

However, nobody can get X because xi is kept privately by Pi .

3.3

Partial signature generation

There are many variants for ElGamal signature. But limited by modulo arithmetic, most variants unsuited for CRT-based threshold signature. With the further research into the ElGamal
signature and Chinese reminder theorem, we deduce a modified ElGamal signature/verification
formula which is suitable for CRT-based threshold signature scheme.
(1) According to Eq. (1), sk = (M rx) mod q. The equation can conclude to ak = b+cx mod q,
in which a = s, b = M, c = r. The verification is ra = g b y c mod p.
(2) Let a = rM, b = s, then c = 1, thus Eq. (1) can transform to k r M = s + x. Then
signature is s = k r M + x mod q, corresponding verification is g s rrM Y mod p.
Based on the modified signature, the generation of partial signatures is described as follows:
Step 1 Each Pi selects a random number ki Zq , computes ri = g ki mod p and broadcasts it.
After receiving ri from other participants, Pi computes

r=g

Pt

i=1

ki

mod p =

t
Y
i=1

ki

g mod p =

t
Y
i=1

ri mod p

980

Z. Hou et al. /Journal of Computational Information Systems 11: 3 (2015) 975986

Step 2 Pi computes D =

Qt

i=1

di , ei = ( dDi )1 mod di . Then calculate

D
ei yi mod D.
di

Vi =

(9)

Step 3 Pi generates his partial signature si for the message M.

si = ki r M + V i

(10)

and sends (M, r, si ) to the signature verifier.

Note: If P
we use signature Eq. (1) directly, the
Pt partial signature would be si = ki M + r Vi . In
t
spitePof i=1 Vi mod D is less thanP
D, r ( i=1 Vi mod D) is likely larger than D, in this case,
(r ( ti=1 Vi mod D)) mod D 6= r ( ti=1 Vi mod D), then correct signature verification could not
be constructed.

3.4

Signature verification

After receiving t signatures (M, r, si ), the signature verifier computes

t
X
s=(
si mod D) mod q

(11)

i=1

(M, r, si ) is the group signature for the message M.

Anybody can use the group public key Y to verify the group signature by Eq. (12).
g s rrM Y mod p

(12)

Theorem 1 Signature verification formula Eq. (12) is correct.

Proof Assume
Z=

n
X

aij .

(13)

i=1

Then, by Eqs. (2), (3) and (4), we can get

Z=

n
X

xi + q

i=1

n
X

Ai < q + (N/q) q = N/q.

(14)

i=1

Then, according to Eq. (6) there are congruence equations

Z yi mod di

(15)

According to CRT, Z have unique solution

Z=

t
X
D
i=1

di

ei yi mod D =

t
X
i=1

Vi mod D.

(16)

Z. Hou et al. /Journal of Computational Information Systems 11: 3 (2015) 975986

981

Also, according to Eq. (8) and Eq. (14), we can get the following equation
Z=X+

n
X

Ai q X mod q.

(17)

i=1

Q
For q < d1 < d2 < < dn , N = ti=1 di and D is the product of any t di , so D N . Let
di = d1 + li (li is integers and i = 1, 2, ..., n), then
D = d1 t + u1 d1 t1 + u2 d1 t2 + + ut1 d1 + ut .
N = d1 t + v1 d1 t1 + v2 d1 t2 + + vt1 d1 + vt .
where ui , vi are integers and ui vi . Then,
N/q =

vt1 d1 vt d1
d1 t1 v1 d1 t2 v2 d1 t3
d1 +
d1 +
d1 + + (
+
)
q
q
q
q
q

For q < d1 , then when t > 2, q 3 + N/q < d1 t + u1 d1 t1 < D.

P
Also, q is larger than max{r, M, ki }, then r M ti=1 ki < q 3 .
P
Therefore, according to Eq. (13), when t > 2, r M ti=1 ki + Z < q 3 + N/q < D.
Thus, according to Eqs. (10), (11) and (17)
t
X
s=(
si mod D) mod q
i=1
t
X
=(
(ki r M + Vi ) mod D) mod q
i=1

= (r M

t
X

ki +

i=1
t
X

= ((r M

= ((r M

Vi ) mod D mod q

i=1
t
X

ki +

i=1
t
X

t
X

Vi mod D) mod D) mod q

i=1

ki + Z) mod D) mod q

i=1

= (r M

t
X

ki + Z) mod q

i=1

= (r M

t
X

ki + (Z mod q)) mod q

i=1

= (r M

t
X

ki + X) mod q.

i=1

So g s g rM
(12) is correct.

Pt

i=1

ki +X

mod p g rM

Pt

i=1

ki

g X mod p rrM Y mod p. The verification Eq.

982

Z. Hou et al. /Journal of Computational Information Systems 11: 3 (2015) 975986

Security Analysis

4.1

The group private key is secure and can be reused

By Eq. (8), the group private key X can be generated only when obtaining all sub-secrets xi .
In the group public key generating process, Pj can get g xi from participant Pi , but obtaining xi
according to g xi is the discrete logarithm problem. So no one can get other participants xi .
The group signature is synthesized by t partial signatures, which will not expose any information
of X. So the group private key X is safe and can be reused.

4.2

The participants mutual cheating can be identified

Theorem 2 Pi cannot provide the false aij .

To compute the group public key Y, Pi must provide the true g xi . So if Pi has provided a false
g Ai denoted by Fi , in order to make Eq. (5) still holds, Pi must provide false aij or false ij .
Suppose Pi provide a false aij and denote it by a0ij . For i = g xi +Ai q mod p = g xi g Ai q mod p.
Since g Ai is false and g xi is true, i must be false.
Let i0 denote the false i , thus i0 = g xi Fiq mod p.
0

dj

q/dj

By Eq. (5), ((g aij mod p)(ij mod p)) mod p = (g xi Fiq ) mod p, then ij = g (xi aij )/dj Fi

For g and q are two primes, to satisfy ij is an integer, Fi must be the power of g. Suppose
0
0
0
Fi = g Ai (A0i 6= Ai , 0 A0i {[N/q 2 ] 1}/n), then ij = g (xi +qAi aij )/dj .
Since ij is an integer and g is a prime, a0ij is less than dj , thus a0ij = (xi + A0i q) mod dj . That
means a0ij is true. So Pi cannot provide the false aij when g Ai is false.
Similar to the proof above, we can prove that Pi cannot provide the false ij when g Ai is false.
Since both aij and ij must be true when g Ai is false, the false g Ai can be easily identified by
Eq. (5). So Pi cannot provide the false g Ai .
For g xi and g Ai must be true, i = g xi +Ai q = g xi g Ai q mod p. Obviously, the false i can not
satisfy the equation. So Pi cannot provide the false i .
For i must be true, if Pi has provided the false ij which is denoted by ij0 , Pi must provide
the false aij , denoted by a0ij , to satisfy the Eq. (5) and a0ij < dj .
0

By Eq. (5), ((g aij mod p)(ij0

dj

mod p)) mod p = i = g xi +Ai q . Then ij0 = g (xi +Ai qaij )/dj .

Since g is a prime and ij0 is an integer, (xi + Ai q a0ij )/dj must be an integer. Then xi + qAi
mod dj .

a0ij

aij = (xi + Ai q) mod dj and a0ij =

6 aij , then a0ij = aij + k dj (k is a positive integer), means
a0ij > dj . So Pi cannot provide the false aij . Therefore, Pi cannot provide the false ij .
For i and ij must be true. Obviously, the false aij can not satisfy the Eq. (5). Therefore, Pi
cannot provide the false aij .
In conclusion, when exchanging secret shadow among participants, any false parameter (i , ij ,
aij ) can be identified by Eq. (5).

Z. Hou et al. /Journal of Computational Information Systems 11: 3 (2015) 975986

4.3

983

A forger cant generate a false signature

To forge a signature, a forger may try to find r, s to satisfy Eq. (12). If the forger fixes r first,
then computing s is equivalent to ElGamal signature scheme. If s is fixed, then computing r is
more difficult than ElGamal signature scheme.
The forger may generate t partial signatures. To generate a partial signatures si forger need to
get ui . In the process of generating partial signature, g ki is public, but get ki through g ki is the
discrete logarithm problem.

Experimental Result

Harns scheme [16] is the most representative Lagrange interpolation-based threshold signature
scheme. The majority of existing threshold signature schemes are based on Harns scheme. So
we will compare the time consumption of our scheme with that of Harns.
(1) Signature time consumption.

Fig. 2: Signature time consumption

Fig. 3: Time consumption of secret share generating

The Fig. 2 is the time consumption of signing between the Harns threshold signature scheme
and our scheme. The t axis indicates the threshold value, and the time axis indicates the
signature time consumption.
Obviously, our scheme is more efficient than the Harns threshold signature scheme.
(2) Secret shares generating consumption. In Harns scheme the secret share shadow is computed
by fi (x) = di + ai,1 x + ai,2 x2 + ai,3 x3 + + ai,t1 xt1 , fi (xj ) is the secret share shadow
sent
P
from Pi to Pj , and xj is the identity of Pj . Pj computes his secret share by Fj = ni=1 fi (xj ).
In
Pnour scheme, the secret share yj is computed by aij = (xi + Ai q) mod dj and yj =
i=1 aij mod dj .
In Harns scheme, a polynomial of degree t need to be computed, and the time consumption
is increased with the increase of t. Our scheme just needs to compute a congruence, which

984

Z. Hou et al. /Journal of Computational Information Systems 11: 3 (2015) 975986

Table 1: Parameters of participants

Table 2: Secret share shadows

aij j=1 j=2 j=3 j=4 j=5

Pi

Ai

xi

xi + Ai q

g xi

P1

32

737

i=1

34

40

32

48

P2

407

9363

i=2

15 0

32

10

35

P3

533

12261

i=3

14

41

18

P4

75

1728

27

i=4

26

36

32

P5

520

11963

27

i=5

12

32

25

38

has nothing to do with t. As shown in Fig. 3, the secret share generating of our scheme is
much more efficient than that of Harns scheme.

Example

An example involving 3 out of 5 participants is illustrated below.

(1) The public parameters are n = 5, t=3, p=47, q=23, g=3, d=37, 41, 43, 47, 53, N =65231, P =
P1 , P2 , P3 , P4 , P5 .
(2) Each participant Pi selects xi , Ai and computes his g xi , which is shown in Table 1.
(3) Pi computes and sends aij (i 6= j) to corresponding participant Pj , which is shown in Table 2.
a. If Pi provides
a true aij , for example
a43 = 8, then 4 = g 1728 modp= 27, 43 = g 40 mod
 a

d
d3
3
p = 2, (g 43 mod p)(43 mod p) = 27. So (g a43 mod p)(43
mod p) mod p = 4 .
b. If Pi provides a false aij , for example a43 = 10 6= 8, then 4 = g 1728 modp
 = 27, 43 =
d
d
41
a
a
3
3
43
43
g modp = 6, (g mod p)(43 mod p) = 9. So (g mod p)(43 mod p) mod p 6= 4 .
Q
(4) Any Pi can compute the group public key Y = 5i=1 g xi mod p = 4 according to Table 1.
P5
aj1 mod d1 = 14, y2 =
(5) Each participant in P generates his own secret share: y1 =
P5
P5
Pj=1
5
aj2 mod d2 = 13, y3 =
j=1 aj3 mod d3 = 18, y4 =
j=1 aj4 mod d4 = 3, y5 =
Pj=1
5
j=1 aj5 mod d5 = 12.
(6) Suppose P1 , P2 and P3 join the signing process, they choose secret integers k1 = 14, k2 = 17,
k1
k2
k3
k3 = 21 at random
Q3 and compute r1 = g mod p = 14, r2 = g mod p = 2, r3 = g mod p =
21. Thus, r = i=1 ri mod p = 24.
(7) Suppose M = 5, P1 , P2 and P3 compute Vi and the partial signature. V1 = 28208, s1 = k1
M +V1 = 29888. V2 = 38184, s2 = k2 M +V2 = 40224. V3 = 28208, s3 = u3 M +V3 = 37411.
P
(8) The verifier receive the partial signatures and compute the group signature s = ( 3i=1 si mod
D) mod q = 18. So the group signature (M, r, s) = (5, 24, 18).
The verifier checks: g s 318 mod 47 6, rrM Y mod p 6. So g s rrM Y mod p.
Therefore, the group signature is correct.

Z. Hou et al. /Journal of Computational Information Systems 11: 3 (2015) 975986

985

Conclusion

We propose a verifiable threshold signature scheme based on CRT. No dealer is required for distributing shares, and all the participants work together to produce the group public key and their
own secret shares, which can protect against authority deceive. We modify the ElGamal signature equation to ensure the correctness of signature verification. Furthermore, mutual cheating
among the participants can be identified by verifying the secret share shadows. The security of
our scheme is discussed, and the experiments show that our scheme is more efficient than Harns
scheme.

References
[1]
[2]
[3]
[4]

[5]
[6]

[7]
[8]

[9]

[10]

[11]
[12]
[13]

[14]

A. Shamir. How to share a secret. Communication of ACM, 22 (1979) 11, 612-613.

G. R. Blakley. Safeguarding cryptographic keys. Proceedings of the National Computer Conference.
Arlington, June, 1979, 313-317.
C. A. Asmuth and J. Bloom. A modular approach to key safeguarding. IEEE Transactions on
Information Theory, 29 (1983) 2, 208-210.
Li Qiong, Wang ZhiFang, et al. A non-interactive modular verifiable secret sharing scheme. International Conference on Communications, Circuits and Systems, Los Alamitos, 27-30 May 2005,
84-87.
S. Iftene. Secret sharing schemes with applications in security protocols. Technical report, University Alexandru Ioan Cuza of Iasi, Faculty of Computer Science, 2007.
K. Kaya and A. A. Selcuk. A Verifiable Secret Sharing Scheme Based on the Chinese Remainder
Theorem. Lecture Notes in Computer Science, Progress in Cryptology-indocrypt 2008. 9th Annual
International Conference on Cryptology. 2008, 414-425.
S. Y. V. Rao and C. Bhagvati. CRT based Secured Encryption Scheme. Recent Advances in
Information Technology (RAIT), 2012 1st International Conference, Dhanbad, 15-17 March 2012.
Xukai Zou, Fabio Maino, Elisa Bertino, et al.. A New Approach to Weighted Multi-Secret Sharing. Proceedings of the 2011 20th International Conference on Computer Communications and
Networks (ICCCN 2011), Maui, HI, USA, 31 July-4 Aug. 2011, 1-6.
S. Iftene and M. Grindei. Weighted Threshold RSA Based on the Chinese Remainder Theorem.
2007 9th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing
(SYNASC 2007), Timisoara, Romania, 26-29 Sept. 2007, 2008, 175-181.
C. Porkodi and R. Arumuganathan. Group-oriented signature schemes based on Chinese remainder theorem. 2009 World Congress on Nature & Biologically Inspired Computing (NaBIC 2009),
Coimbatore, India, 9-11 Dec. 2009, 1661-1664.
Cheng Guo, ChinChen Chang. Proactive Weighted Threshold Signature Based on Generalized
Chinese Remainder Theorem. Journal of Electronic Science and Technology, 10 (2012) 3, 250-255.
Yanxiao Liu, Yuqing Zhang, Yupu Hu. Efficient verifiable (t; n) secret sharing schemes. Journal
of Computational Information Systems, v 8, n 9, pp. 3815-3821, May 1, 2012.
Yisheng Xue, Shulei Wu, and Huan-dong Chen. A Blakley Secret Sharing Scheme without Trusted
Share Distributed Center. Computational Intelligence and Security (CIS), 2011 Seventh International Conference, Hainan, 3-4 Dec. 2011, 612-614.
Qianqian Zhang, Zhihui Li and Xiong Li. A Verifiable Secret Sharing Scheme Without Dealer
In Vector Space. Fuzzy Systems and Knowledge Discovery (FSKD), 2011 Eighth International
Conference, 26-28 July 2011, 2222-2225.

986

Z. Hou et al. /Journal of Computational Information Systems 11: 3 (2015) 975986

[15] Benhui Zhang, Yuansheng Tang. Verifiable Vector Space Secret Sharing Scheme Without a Dealer.
Computer Science and Service System (CSSS), 2011 International Conference, NanJing, 27-29 June
2011, 931-934.
[16] Harn, L. Group-oriented (t,n) threshold digital signature scheme and digital multisignature. IEE
proceedings of Computers and Digital Techniques, 141 (1994) 5, 307-313.
[17] Yousheng Zhou, Feng Wang, Yixian Yang, et al. A novel threshold signature scheme with distinguished signing authorities. Broadband Network and Multimedia Technology (IC-BNMT), 2010
3rd IEEE International Conference. Beijing, 26-28 Oct. 2010, 728-732.
[18] HE Er-qing, HOU Zheng-feng and ZHU Xiao-ling. Proactive secret sharing scheme without trusted
party. Application Research of Computers. 30 (2013) 2, 491-493. (in Chinese).
[19] Tong Lu and BaoYuan Kang. Improvement of threshold group signature scheme. Computer Science
and Society (ISCCS), 2011 International Symposium, Kota Kinabalu, 16-17 July 2011, 150-153.
[20] T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms,
IEEE Trans. Inform. Theory 31 (4) (1985) 469-472.