Emerging applications like electronic commerce and secure communications over open networks have made clear the fundamental role of public key cryptography as a unique enabler for world-wide scale security solu-Cons. On the other hand, these solutions clearly expose the fact. that, the protection of private keys is a security bottleneck in these sensitive. applications. This problem is further worsened in the cases where a single and unchanged privat, e key must8 be kept secret for very long time (such is the case of certification authority keys, Bank and e-cash keys, etc.).

One crucial defense against exposure of private keys is offered by fhrtAold cryplogmphy where the private key functions (like signatures or decryption) are distAbutetl among several parties such that a precIet, ermined number of parties must. cooperate in order to correcdy perform these operations. This protects keys from any single point of failure. An attacker needs to break i&o a multiplicity of locations before it can compromise the system. However, in the case of long-lived keys the attacker still has a considerable period of time (like a few years) t30 gradually break the system.