Created on:
Thursday, December 1, 2016

Threshold Signatures: The Future of Private Keys

Imagine cryptocurrency private key and signing algorithms as a key and a lock to a vault. This vault has one key that fits exactly into the keyhole and unlocks the vault. No other key can open it. If attackers are able to access that key somehow, they can open the vault and get away with the victim’s money and goods. Since it is cash, this action irrevocable. Additionally, if the key is lost, the safe and its contents remain locked forever. To mitigate the risk of loss, the vault user may choose to duplicate the key, but then it increases the risk of theft.

Classic Vault: One Key, One Lock

This situation might be acceptable if the vault holds small amounts of money, but when larger sums are at stake, it is clear that this solution is inadequate. The burden is just too heavy for a single entity. Naturally, that single entity can delegate the key and the responsibility to another entity it trusts and get a temporary sense of relief, until it realizes that it merely shifted the problem to another single entity that is exposed to all the perils mentioned above.

Therefore, the responsibility should be shared between multiple parties (a few persons and/or devices). When the responsibility is properly shared, a more refined unlocking system can be defined. This new unlocking system handles both cases of theft and loss. Attackers need to steal multiple independent keys, and only a certain subset of the keys are needed to unlock the vault.
In the following sections, we will describe the evolution of solutions that share private key responsibility.

Sharing the Responsibility: The Current Generation

In order to share the responsibility of holding a single key to unlock the vault, it is clear that something needs to be changed either with key or lock or both.


MultiSig (multisignature) shares the responsibility for the the vault’s security by multiplying the locks. Instead of a single key that locks the vault, MultiSig creates a vault with multiple locks and keys and assigns the keys to multiple parties.

MultiSig can even create a vault mechanism that requires only some portion of these keys to open the vault. That way, even if one of the keys is duplicated then the attackers are not able to open the vault. However, this change requires the manufacturing of a new type of vault. This vault needs to be bigger to allow the placement of multiple locks. The vault also has a privacy issue, as anyone can see it has an unusual security mechanism and therefore it can be easier to track.

In more technical terms, MultiSig is a new type of signing mechanism that requires specific and different support on each blockchain technology, and higher fees as the transactions need to be encoded with more bytes for the additional signatures.  

MultiSig Vault: Two Keys, Two Locks. The vault is “heavier” and looks different

Bottom line:

Pros: Better security, as the keys are never stored in the same place (if properly constructed)

Cons: Higher fees, less privacy, not universally supported

Secret Sharing Scheme

The Secret Sharing Scheme (SSS) shares the responsibility for the vault’s security by breaking the key into multiple pieces. This can be done in a redundant manner such that only a certain amount of key pieces can be reassembled into a functioning key. The key pieces can be assigned to multiple parties.

When using a Secret Sharing Scheme, the vault looks the same as a regular vault and therefore the disadvantages of MultiSig described above are resolved.However, SSS has a major drawback: When the key is generated initially or reassembled to unlock the vault, it is again stored (even if briefly) in its full form. This weakness provides a golden opportunity for attackers to get a hold of the key.  

SSS Vault: One Key Split in Two, One Lock. The vault looks the same as Classic Vault

Bottom line:

Pros:  Similar fees, privacy, and universal support as a regular transaction. When not in use, the key parts reside in different places.

Cons: When created and used, the key is present in its complete form and thus susceptible to stealing from a single place.

Sharing the Responsibility: The Next Generation

Can we have our cake and eat it too? Can we get a system of true multiple keys in which the keys are ALWAYS separated and NEVER meet each other, but the vault still has only one lock so it looks the same as a regular vault?

Yes, We Can. That is exactly what Threshold Signatures do. Threshold Signatures are based on the cryptography field of Multi-Party Computation (MPC). In a way, we can think of Threshold Signatures as the child of SSS and MultiSig, inheriting the best qualities of its parents.

MPC based Threshold Signatures

With Threshold Signatures, each of the parties creates a key independently. Then they forge the vault’s lock together, in a modular way, in which each party shapes a part of the lock that corresponds to its key. Eventually, at the end of this process, a vault with a single modular lock is created that corresponds to each of the keys.

The unlocking process involves the parties taking turns in unlocking the vault. Each key can turn the modular lock a few degrees forward. After a few rounds of partial turning of the different keys, the modular lock is fully unlocked.

This modular lock can be shaped so that even if only a subset of the keys are available, the vault can still be unlocked..

The vault is indistinguishable from a regular, single-lock vault. The modular nature of the lock cannot be detected by an external observer.

Threshold Signatures Vault: Two Keys, One Lock.  The vault looks the same as Classic Vault

Bottom line:

Pros: The different keys never meet each other, the Threshold Signatures vault is indistinguishable from a regular vault and hence universal, and it has the same privacy and cost (fees) as a regular vault.

Cons: The interactive nature of the processes of shaping the modular lock and the unlocking process requires that all of the parties be present during the action (as opposed to MultiSig in which each of the parties can sign asynchronously). The shaping process is harder on performance, but due to recent advancements in this field very much feasible.