The security of this system lies in the fact that A reliably knows the public key of B. In a PKI, this is achieved by using a signed certificate from the CA. In ad hoc networks using threshold cryptography, when A needs to find out the public key of B, it sends out a broadcast message to its neighbors requesting a certificate for B.

Each server which hears this message generates a partial certificate with its partial system secret k_x and sends it to a combiner. A combiner is a server which takes on the responsibility of combining S partial certificates and generates a complete certificate. Any server can take on the role of a combiner.

A server does not require any extra capabilities to be a combiner. Conversely, a server does not gain any extra information about the system secret by being a combiner. Once the combiner has generated the complete certificate by combining S partial certificates, it can send the certificate to A.

Now, let's look at the security of an ad hoc network using threshold cryptography to implement a virtual CA. What happens if a server in the network is compromised?

This server can then be used by an adversary to generate an incorrect partial signature. When the combiner uses this invalid partial certificate to generate a complete certificate, it would obviously lead to the complete certificate being invalid.

Fortunately, the public key of the virtual CA (K_wCA) is known to all nodes in the system. (That the public key of the CA is well known to all nodes in the system is an underlying assumption of every PKI system.)

The combiner can therefore use the public key to verify the validity of the complete certificate that it has generated. This can be done, for example, by decrypting the certificate (which has been encrypted using K_iCA) using K_wCA and verifying that the information in the certificate is correct.

If the combiner determines that the complete certificate is invalid, it can use another set of S partial certificates to generate a valid complete certificate. This means that as long as the combiner has access to at least S valid partial signatures it would be able to generate a valid complete certificate.

For this reason, the value of S should not be too large. Note that if S (or more than S) servers are compromised, the security of the whole system is compromised. For this reason the value of S should not be too small. These two constraints make the value of S an engineering trade-off.

Consider what happens, however, if the combiner itself is compromised. This is a much more potent threat since it is the combiner which is finally responsible for combining the partial certificates and issuing the complete certificate. A compromised combiner can therefore inject invalid certificates into the system.

One solution is to assign the role of a combiner to a server which is more secure than other nodes in the system and thus has a lower probability of being compromised. Since this is not always possible in an ad hoc environment, another approach is to use multiple combiners. In this scenario each combiner issues a complete certificate using its set of partial certificates. The nodes in the system have now multiple sources to get the certificate they want and can use a majority-based scheme to ensure the validity of a certificate.