With the development of the Internet, there are many opportunities to exchange information with invisible parties through e-mail, etc. It is very important to confirm that the information sent is the same as the original information. Digital signatures are a technology that allows the sender of information to guarantee the authenticity of the information. A threshold signature is a digital signature that is used for information generated by multiple people. In threshold signatures, a signature can be generated only when the number of people who agree to generate the signature exceeds a predetermined threshold. Therefore, even if less than the threshold number of people agree to forge a signature, the signature cannot be forged, which makes it more attack-resistant than a single signature. Because of this security, threshold signatures are used in blockchain technologies such as virtual currencies. Threshold signatures can be realized by dividing the secret key of a digital signature into separate parts, so that the secret key can be recovered only when a threshold number of people agree on it. Digital signatures are classified into two types: message-attachment type for long messages and message-recovery type for short messages. In the message-attached type, the signature and the original data are required for verification. On the other hand, in message recovery type, the data can be verified with only the signature. Most of the existing threshold signatures focus on message-attached signatures. However, since the signature length does not depend on the message length, the real transmission volume (signature length + message length) becomes large when the message is short.
In this paper, we propose a message recovery threshold signature, which is suitable for short messages and does not require a message to be sent with the signature.