Threshold Signatures: Their Potential in Blockchain Security and Practical Applications

     Threshold Signature Explained — Bringing Exciting Applications with TSS

A Deep Dive Into Threshold Signature Without Mathematics

Threshold signature is a distributed multi-party signature protocol that includes distributed key generation, signature, and verification algorithms. In recent years, with the rapid development of blockchain technology, signature algorithms have gained widespread attention in both academic research and real-world applications. Its properties, including those related to security, practicability, scalability, and decentralization of signature, have been pored over.

Because blockchain and signature are closely connected, the development of signature algorithms and the introduction of new signature paradigms will directly affect the characteristics and efficiency of blockchain networks. In addition, institutional and personal account key management requirements stimulated by distributed ledgers have also spawned many wallet applications, and this change has also affected traditional enterprises. Whether in the blockchain or traditional financial institutions, the threshold signature scheme can bring security and privacy improvement in various scenarios. As an emerging technology, threshold signatures are still subject to academic research and discussion concerning possible security risks and practical problems.

This article will start with the technical rationale and discuss cryptography and blockchain. Then, we will compare multi-party computation and threshold signature before discussing the pros and cons of different signature paradigms. In the end, there will be a list of use cases of threshold signature. Finally, there will be a list of use cases of threshold signature.

I. Cryptography in Daily Life

Before introducing threshold signatures, let’s get a general understanding of cryptography. How does cryptography protect digital information? How do we create an identity in the digital world? From the very beginning, people wanted secure storage and transmission. After creating a key, one can use symmetric encryption to store secrets. If two people have the same key, they can achieve secure transmission between themselves. To use a military example, the king encrypts a command, and the general decrypts it with the corresponding key.

But when two people do not have a safe channel to use, how can they create a shared key? Solving this issue is why the key exchange protocol came into being. Analogously, if the king issues an order to all the people in the digital world, how can everyone prove that the sentence originated from the king? As such, the digital signature protocol was invented. Both protocols are based on public key cryptography or asymmetric cryptographic algorithms.

Symmetric and asymmetric encryption constitute the main components of modern cryptography. They both have three fixed parts: key generation, encryption, and decryption. Here, we focus on digital signature protocols. The key generation process generates a pair of associated keys: the public key and the private key. The public key is open to everyone, and the private key represents the identity and is only revealed to the owner. Whoever owns the private key has the identity represented by the key. The encryption algorithm, or signature algorithm, takes the private key as input and generates a signature on a piece of information. The decryption algorithm, or signature verification algorithm, uses public keys to verify the validity of the signature and the correctness of the information.

II. Signature in the Blockchain

Blockchain technology uses a consensus algorithm to construct distributed books, and signature provides identity information for blockchain. The signature of the transaction initiator identifies all the transaction information on the blockchain. The blockchain can verify the signature according to specific rules to check the transaction validity, all thanks to the immutability and verifiability of the signature.

From a cryptographic perspective, the blockchain is more than using a signature protocol, or the consensus algorithm based on Proof-of-Work uses a hash function. Blockchain builds an infrastructure layer of consensus and transaction. On top of that, novel cryptographic protocols such as secure multi-party computation, zero-knowledge proof, and homomorphic encryption thrive. For example, secure multi-party computation, which is naturally adapted to distributed networks, can build secure data transfer and machine learning platforms on the blockchain. The special nature of zero-knowledge proof provides feasibility for verifiable anonymous transactions.

The combination of these cutting-edge cryptographic protocols and blockchain technology will drive the development of the digital world in the next decade, leading to secure data sharing, privacy protection, and more applications now unimaginable.

III. Secure Multi-party Computation and Threshold Signature

After introducing how the digital signature protocol affects our lives and how it helps the blockchain build identities and record transactions, we will mention secure multi-party computation (MPC), from where we can see how threshold signatures achieve decentralization. For more about MPC, please refer to our previous posts, which detailed the technical background and application scenarios.

MPC, by definition, is a secure computation that several participants jointly execute. Security here means that, in one computation, all participants provide their own private input and can obtain results from the calculation. It is not possible to get any private information entered by other parties. In 1982, when Prof. Yao proposed the concept of MPC, he gave an example called the “Millionaires Problem” — two millionaires who want to know who is richer than the other without telling the true amount of assets. Specifically, the secure multiparty computation would care about the following properties:

• Privacy: Any participant cannot obtain any private input from other participants except for information that can be inferred from the computation results.

• Correctness and verifiability: The computation should ensure correct execution, and the legitimacy and correctness of this process should be verifiable by participants or third parties.

• Fairness or robustness: All parties involved in the calculation, if not agreed in advance, should be able to obtain the computation results at the same time or cannot obtain the results.

  
  

Supposing we use secure multi-party computation to make a digital signature in a general sense, we will proceed as follows:

• Key generation phase: all future participants will be involved together to do two things: 1) each involved party generates a secret private key; 2) The public key is calculated according to the sequence of private keys.

• Signature phase: Participants joining in a certain signature use their own private keys as private inputs and the information to be signed as public input to perform a joint signature operation to obtain a signature. In this process, the privacy of secure multi-party computing ensures the security of private keys. The correctness and robustness guarantee the unforgeability of the signature, and everyone can all get signatures.

• Verification phase: Use the public key corresponding to the transaction to verify the signature as a traditional algorithm. There is no “secret input” during the verification, this means that the verification can be performed without multi-party computation, which will become an advantage of multi-party computation type distributed signature.

  
  

The signature protocol constructed on the idea of ​​secure multiparty computing is the threshold signature. It should be noted that we have omitted some details because secure multiparty computing is actually a collective name for a type of cryptographic protocol. For different security assumptions and threshold settings, there are different construction methods. Therefore, the threshold signatures of different settings will also have distinctive properties. This article will not explain each setting, but the comparative result with other signature schemes will be introduced in the next section.

IV. Single Signature, Multi-Signature, and Threshold Signature

Besides the threshold signature, what other methods can we choose?

Bitcoin, at the beginning, used a single signature, which allocated each account with one private key. The message signed by this key is considered legitimate. Later, in order to avoid a single point of failure or introduce account management by multiple people, Bitcoin provides a multi-signature function. Multi-signature can be simply understood as each account owner signing successively and posting all signatures to the chain. Then, signatures are verified in order on the chain. When certain conditions are met, the transaction is legitimate. This method achieves multiple private key control purposes.

So, what’s the difference between multi-signature and threshold signature?

Several constraints of multi-signature are:

1. The access structure is not flexible. If an account’s access structure is given, that is, which private keys can complete a legal signature, this structure cannot be adjusted at a later stage. For example, a participant withdraws, or a new involved party needs to change the access structure. If you must change, you need to complete the initial setup process again, which will change the public key and account address as well.
2. Low efficiency. The first is that the verification on the chain consumes the power of all nodes and, therefore, requires a processing fee. The verification of multiple signatures is equivalent to multiple single signatures. The verification takes more time, which also impacts performance.
3. Requirements of smart contract support and algorithm adaptation that varies from chain to chain. Because multi-sig is not naturally supported due to the possible vulnerabilities in smart contracts, this support is considered risky.
4. No anonymity. This cannot able to be trivially called a disadvantage or advantage because anonymity is required for specific conditions. Anonymity here means that multi-signature directly exposes all participating signers of the transaction.

Correspondingly, the threshold signature has the following features:

1. The access structure is flexible. Through an additional multi-party computation, the existing private key sequence can be expanded to assign private keys to new participants. This process will not expose the old and newly generated private key, nor will it change the public key and account address.

2. It provides more efficiency. For the chain, the signature generated by the threshold signature is not different from a single signature, which means the following improvements: a) The verification is the same as the single signature and needs no additional fee; b ) the information of the signer is invisible because, for other nodes, the information is decrypted with the same public key; c) No smart contract on the chain is needed to provide additional support. In addition to the above discussion, there is a distributed signature scheme supported by Shamir secret sharing. The secret sharing algorithm has a long history which is used to slice information storage and perform error correction information. From the underlying algorithm of secure computation to the error correction of the disc. This technology has always played an important role, but the main problem is that when used in a signature protocol, Shamir's secret sharing needs to recover the master private key.

   
   

As for multiple signatures or threshold signatures, the master private key has never been reconstructed, even if it is in memory or cache. This short-term reconstruction is not tolerable for vital accounts.

V. Limitations

Just like other secure multi-party computation protocols, the introduction of other participants makes the security model different from traditional point-to-point encrypted transmission. The problem of conspiracy and malicious participants was not taken into account in algorithms before. The behavior of physical entities cannot be restricted, and perpetrators are introduced into participating groups.

Therefore, multi-party cryptographic protocols cannot obtain the security strength as before. Effort is needed to develop threshold signature applications, integrate existing infrastructure, and test the true strength of the threshold signature scheme.

VI. Usage Scenarios

1. Key Management

The use of threshold signatures in key management systems, such as ARPA’s enterprise key management API, can achieve a more flexible administration. One can use the access structure to design authorization patterns for users with different priorities. In addition, for the entry of new entities, the threshold signature can quickly refresh the key. This operation can also be performed periodically to level up the difficulty of hacking multiple private keys at the same time. Finally, for the verifier, the threshold signature is not different from the traditional signature, so it is compatible with old equipment and reduces the update cost. ARPA enterprise key management modules already support Elliptic Curve Digital Signature Scheme secp256k1 and ed25519 parameters. In the future, it will be compatible with more parameters.

2. Crypto Wallet

Wallets based on threshold signatures are more secure because the private key doesn’t need to be rebuilt. Also, without all signatures posted publicly, anonymity can be achieved. Compared to the multi-signature, threshold signature needs less transaction fees. Similar to key management applications, the administration of digital asset accounts can also be more flexible. Furthermore, threshold signature wallet can support various blockchains that do not natively support multi-signature, which reduces the risk of smart contract bugs.

Conclusion

This article describes why people need the threshold signature and what inspiring properties it may bring. One can see that threshold signature has higher security, more flexible control, and a more efficient verification process. In fact, different signature technologies have different application scenarios, such as aggregate signatures not mentioned in the article and BLS-based multi-signature. At the same time, readers are also welcome to read more about secure multi-party computation. Secure computation is the holy grail of cryptographic protocols. It can accomplish much more than the application of threshold signatures. In the near future, secure computation will solve more specific application questions in the digital world.

Also published here.