Saya tidak tahu secara spesifik skema Gentry, tetapi semua cryptosystem threshold lainnya memerlukan dua homomorfisme (yang ketiga tersirat) yang berkaitan dengan kunci publik dan rahasia:
- KG(sk1)⊗KG(sk2)=KG(sk1⊕sk2)
- c=Encpk1(Encpk2(m,r))=Encpk1⊗pk2(m,r)
- m=Decsk1(Decsk2(c))=Decsk1⊕sk2(c)
(KG is a function that given the secret key, returns the public key: pk=KG(sk).)
If these conditions hold, for some operations ⊕ and ⊗, it is trivally possible to make distributed (n-out-of-n) decryption, and it may be possible for threshold (m-out-of-n) if the operation ⊕ is, for example, sufficient for interpolating a polynomial.
For example, in threshold Elgamal, ⊕ is addition and this allows interpolation.
Even though no one has answered the original question, perhaps someone can answer these questions: (1) Does Gentry's FHE fit the blueprint above (in terms of KG, Enc, Dec). (2) Do such homomorphisms exist between the public and secret keys exist? (3) If so, what are the operations?
Also, I am not saying these conditions are necessary to have a threshold cryptosystem. The lack of such a homomorphism does not imply (to my knowledge) that threshold decryption is impossible.