An Introduction to Threshold Signature Schemes
If you’ve amassed substantial crypto assets, you know it’s a challenge to keep your tokens safe from hacking and theft. Most transactions on a blockchain are accomplished with a single user’s signature. What’s wrong with that? When there’s only one private key from one person required to sign a transaction, it’s easier for an attacker to obtain that key.
There are many ways for a bad actor to get their hands on that one private key, including phishing scams. The vulnerability of single-signature setups is what has inspired developers to build schemes such as threshold signature schemes (TSS) that require multiple signatories.
What’s TSS, how does it work, and why should you care? In this article, we explain how threshold signatures differ from other signature methods, and why you might want to consider TSS for securing larger, more critical transactions.
TL;DR: In Threshold Signature Schemes, multiple users of an account each possess part of a single signature key needed to execute transactions. TSS has distinct advantages over other security setups where multiple people collaborate to sign a transaction, such as multi-sig wallets. TSS has simpler execution requirements and interacts less with the blockchain, which makes transactions more secure and efficient, as well as saving on gas or mining fees.
Terms to know for TSS
To understand threshold signatures, let’s first review some basic concepts to see how TSS fits into the picture and why using threshold signatures offers some meaningful advantages.
- Public key cryptography (PKC)–Dating back to the ‘70s, PKC relies on a linked pair of private and public keys that are created when you set up a new wallet. While the public key can be known to all, the private key must not be shared or your wallet is compromised.
- Digital signatures–A mathematical scheme consisting of three steps: generating a key, using the key pair’s private key in concert with a transaction to create a signature, and executing an algorithm that verifies the signature. On a blockchain, digital signatures make it possible for users to execute transactions.
- Multiparty computation–Building on PKC, multiparty computation allows joint owners of a wallet to execute transactions together. This usually involves setting up a rule where if the number of wallet’s users is m, then a subset of the whole group, n of m, is required to execute a transaction.
What are threshold signature schemes?
The structure of TSS enables multiple people to execute transactions together without needing to know or trust each other, or be in the same physical place together. With a TSS wallet, multiple people are required to execute a transaction. Unlike in some other multi-user schemes where each user contributes their own private key to execute a transaction, with TSS each member has a different, unique piece of a single key. A predefined number of these pieces must be brought together to execute a transaction. This graphic from Crypto APIs illustrates the structure of a transaction done using a TSS wallet:
In other words, a specified number of different users’ key pieces must be assembled into a key for your transaction to be signed.
Use cases for threshold signatures
When does it make sense to employ the more complex threshold signature scheme rather than a single signature? When more than one person jointly owns a large sum of crypto, TSS provides robust security and operational flexibility.
Sophisticated wallet providers now offer TSS-enabled wallets, such as WH Cypher and Crypto API’s Wallet as a Service.
Advantages of threshold signature schemes
TSS offers benefits that ordinary single-signature schemes don’t. With each person holding a unique portion of the signature, it’s difficult for any one user to make off with the group’s assets. The split-up signature also makes it much harder for an attacker to find and properly assemble enough pieces to execute a transaction and steal your assets.
Threshold signatures vs multi-sig wallets?
There are many differences between TSS and multi-sig wallets. A few contrasts that spotlight the advantages of TSS:
Easier interoperability
Multi-sig: For multi-sig to work, the blockchain you use needs to record a variable number of signers for each transaction. Bitcoin supports this option with scripts, and Ethereum supports it with smart contracts. Other blockchains may require custom integrations for multi-sig.
TSS: With its single-signature structure, threshold signatures are readily usable on any blockchain–no integration challenges. The blockchain doesn’t know that users are collaborating off-chain to contribute their key pieces to create that single signature–all the blockchain has to do is verify that signature.
Faster and cheaper
Multi-sig: Verifying a transaction by using multiple signatures may mean that your organization must pay more in fees. Often, there’s also a longer wait for more signatures to be verified.
TSS: Since only one signature executes on the blockchain, transaction speed is usually fast and fees much lower.
More secure
Multi-sig: One feature of mult-sig wallets is that all approvers’ signatures are recorded on-chain, making it possible for an attacker to know the security scheme (how many signatures are required) and to see if changes are made. Proponents say this transparency improves accountability–but it may be a security vulnerability.
TSS: With TSS recording only one signature on-chain, attackers have no visibility as to how the private key pieces are divided up or who owns them. There’s also no way to detect if the security scheme has been changed to add or delete users or alter the n of m formula required for a completed signature.
Improved flexibility
Multi-sig: If you want to change your keys or change your wallet’s security structure, those changes are all observable on the blockchain. This gives adversaries useful information for future attacks.
TSS: Because a signature’s code can be divided up in almost infinite ways and only the one signature interacts with the blockchain, with TSS you can easily reset or reassign the signature parts or even change the n of m structure. There’s nothing recorded on the blockchain that an attacker could access.
Why might some users stick with multi-sig? Once it’s set up, it could be a pain to switch over to TSS. However, if you’re setting up a new group or organizational wallet and don’t have to wrestle with a changeover, give TSS some careful consideration.
Risks of using TSS
The biggest weakness of TSS is that at this point, it’s still fairly new. (though there is a call from NIST to develop standards in threshold schemes). Its vulnerabilities may not all be known yet. TSS may require weaker cryptographic assumptions than conventional signatures and therefore may have new attack vectors. TSS is more complex to implement than single signatures–and that means there are opportunities for things to go wrong. You should use a trusted, experienced professional to set up your TSS wallet to avoid problems.
Is TSS for you?
Now that you know all the advantages and risks of using TSS, you can assess whether it’s the right structure for your multi-user wallet. It certainly takes a bit of effort to set up compared with simple single-signature wallets–but if you’re handling substantial crypto, it could be worth the effort.
To learn more about securing multi-party crypto assets, see our article on multisig wallets.