Abstract.We introduce the notion of distributed password-based publickey cryptography, where a virtual high-entropy private key is implicitly dened as a concatenation of low-entropy passwords held in separate locations. The users can jointly perform private-key operations by exchanging messages over an arbitrary channel, based on their respective passwords, without ever sharing their passwords or reconstituting the key. Focusing on the case of ElGamal encryption as an example, we start by formally dening ideal functionalities for distributed public-key generation and virtual private-key computation in the UC model. We then construct ecient protocols that securely realize them in either the RO model (for eciency) or the CRS model (for elegance). We conclude by showing that our distributed protocols generalize to a broad class of discrete-log-based public-key cryptosystems, which notably includes identity-based encryption. This opens the door to a powerful extension of IBE with a virtual...