One concept which fascinates me, is Public Key Cryptography, of which RSA encryption was the earliest, strong example. But a variant of public-key cryptography which exists, and which I have not paid much attention to, is Threshold Encryption. The WiKi Article states that it exists, but does not explain how it would work. There could be more than one way to accomplish threshold encryption, but I can think of one that will work. As its basis, my own, hypothetical system would have the assumption, that a certain author for an encrypted message, intends for two *specific* recipients to be able to decrypt that message, but only if both recipients apply their keys. The communication of the recipients’ keys could be a secure communication from the author, which could itself be accomplished using public-key, single-recipient, cryptography.

This basis has the following assumptions:

- The encryption of the message could take place, by raising the message to a public-key exponent (E), such as again, 65537, in the modulus of (p)(q), where (p) and (q) are prime numbers.
- Each recipient would possess a private exponent (d1 or d2), but possess none out of (p), (q), (p-1), or (q-1) by itself. Instead, everybody would know the public-key modulus (p)(q), on the assumption that it cannot be prime-factorized into (p) and/or (q).
- (The author would compute two multiplicative inverses of 65537, one in the modulus of (p-1), and the other in the modulus of (q-1), hence calling these smaller exponents (d1) and (d2), ? )
- If the two recipients need to decrypt the message, they could perform a simple, integer multiplication of their individual, private exponents, to arrive at (D = (d1)(d2)), which should then also become the multiplicative inverse of 65537 in the modulus (p-1)(q-1).
- Raising the cyphertext to the exponent (D) in the modulus (p)(q) will undo the encryption as with ordinary, RSA-encryption.
*Even if I was mistaken*in how exactly (d1) and (d2) are computed, as an alternative to multiplying them, the recipients can apply them sequentially, as exponents in the modulus of (p)(q), so that the end result is to decrypt the original message.

But I see a major shortcoming of this approach. I see no way in which both recipients could generate their own private exponents, and to communicate the corresponding public key to the author, supposedly securely over an insecure channel. The reason for this would be the fact that both recipients would need to be aware of the same modulus, as well as of one of the prime numbers used. Simple division of the modulus by either prime number will reveal the other, and thus break the encryption. Even to know (p-1) for example, will trivially reveal (p), and therefore also reveal (q).

But, the same math could be extended such, that *three* recipients need to supply their individual private keys (d1, d2 and d3), if the public-key modulus was instead (p1)(p2)(p3)…

But then the question would need to exist separately, as to what would happen if there needed to be (n) potential recipients, *any* (t) out of which are required to decrypt a message. The only solution which I could see, would be to base that on hybrid encryption, where a symmetrical key would be encrypted multiple times, each time to a subset of (t) recipients out of the larger set (n). Each subset of recipients would need to decrypt the symmetrical key, as created with a different modulus.

(Updated 09/21/2018, 19h30 : )