What Is a Threshold Signature Scheme (TSS)?

Basics

Threshold Signature Scheme (TSS) is a cryptographic primitive that enables distributed key generation and signing. Its application in blockchain clients can offer a wide range of benefits, particularly in the realm of security. This innovation can also influence the development of key management systems, such as crypto wallets, and even pave the way for native support in DeFi use cases. However, since it is still a new technology, it is vital to consider the limitations and potential risks associated with TSS.

Let's explore Threshold Signature Scheme, define its potential advantages in the context of blockchain, and detail how it can be integrated into a blockchain client. The article will also compare TSS to other similar cryptographic technologies, such as Shamir secret sharing and Multisig. Additionally, it will discuss the various ways TSS can be used for distributed key management before concluding with an overview of the risks and limitations associated with this technology.

The Power of Cryptography 

Before diving into the intricacies of the Threshold Signature Scheme, it is essential to have a basic understanding of cryptography. Since the 1970s, asymmetric cryptography, also known as public key cryptography (PKC), has been widely employed in internet systems like TLS and PGP. PKC utilizes two keys: one public and one private. The public key can be freely used and published, while the private key is kept confidential to ensure security.

PKC has two main usages: encryption and digital signatures. Both these applications rely on a set of three algorithms. Firstly, the private and public key pair generation is done. Secondly, a ciphertext/signature is generated. Lastly, the decryption/verification process is carried out. With regards to digital signatures, the signing algorithm requires the private key, known only to the owner, to produce a unique signature that can be attached to a given message. Anyone possessing the public key can then verify the signature's authenticity and accuracy.

Blockchain 

Blockchain technology has gained significant popularity due to its ability to organize and record events through a consensus layer, which can potentially be used to establish decentralized economies and even governments. Digital signatures are the sole form of cryptography needed to run a basic blockchain. In the context of blockchain, private keys act as identities, while signatures serve as public statements or claims made by an identity. The blockchain validates and orders these statements based on a set of rules, ensuring that the signatures are unforgeable and accurate.

Modern cryptographic techniques, such as zero-knowledge proofs, homomorphic encryption, and multi-party computation, have expanded the range of tools available in cryptography. Blockchain research has contributed significantly to advancements in applied cryptography over the past decade. This article will focus on one such breakthrough: the efficient and secure threshold signatures.

MPC and the TSS

The threshold signature scheme is a method that combines distributed key generation (DKG) and distributed signing in a threshold signature scheme. Multi-party computation (MPC) is a branch of cryptography that has existed for almost 40 years. It enables parties who do not trust each other to jointly compute a function over their inputs while keeping those inputs private. For instance, imagine a company's employees wanting to know who is being paid the most without revealing their salaries to each other. With MPC, the computation is done so that not even a single paycheck is leaked during the computation. In a distributed way, we can use MPC to compute a digital signature. There are three steps to creating a signature: key generation, signing, and verification. 

In the first step, we generate a key, which is public and used to verify future signatures, as well as individual secrets for each party, known as secret shares. To maintain privacy and correctness, the function must produce the same public key for all parties and a different secret share for each. The privacy criterion dictates that no secret share data is disclosed between the parties, while the correctness criterion ensures that the public key is a function of the secret shares.

For the second step, each party uses their secret share to input into a signature generation function and a message known to all parties. The output of this step is a digital signature, and the private property ensures that no leakage of secret shares occurs during the computation. 

The third step involves a verification algorithm which remains the same as in the classical setting. Anyone with knowledge of the public key can verify and validate the signatures, making it compatible with single key signatures.

To sum up, TSS is the name given to this combination of distributed key generation and distributed signing in a threshold signature scheme using MPC.

Integrating TSS With Blockchains

To incorporate TSS technology into a blockchain, we need to modify the blockchain client to perform distributed computations instead of private key related commands. In traditional blockchain design, a new address is created by generating a private key, computing the public key, and then deriving the blockchain address from the public key.

With TSS, a group of parties can jointly compute the public key, with each holding a secret share of the private key. Each party's share remains confidential, making the private key a distributed entity. The blockchain remains unaffected. This approach offers the advantage of not having a single point of failure for the private key, as each party holds only one part of it.

Similarly, when signing transactions, a single party is replaced with a distributed signature generation between multiple parties. Each party can generate a valid signature if enough of them are honest. Moreover, distributed key generation has the capability to handle various access structures. The "t out of n" setting can tolerate up to t arbitrary failures without affecting security.

TSS vs. Multisig 

Essentially, multisig and TSS are trying to achieve similar goals. However, multisig occurs on-chain, while TSS uses cryptography off-chain. While some blockchains have TSS functionality as a built-in or programmable feature, multisig is an application layer of the blockchain.

A drawback of multisig is that the access structure is exposed on the blockchain, which can compromise privacy. Additionally, multisig transactions are more costly due to the information on different signers that must be communicated on the blockchain. Conversely, TSS folds signers' details into a regular-looking transaction, reducing costs while maintaining privacy.

Despite the convenience of multisig being non-interactive, it is blockchain-specific and needs to be reimplemented for each blockchain, or sometimes it is not supported at all. TSS, however, relies on cryptography, making it universally supported. 

TSS vs. Shamir 

There are two main differences when comparing the Shamir secret sharing scheme (SSSS) with TSS. First, in SSSS, there is a single party called "the dealer" who generates the private key secret shares and then distributes them to different locations. This means the private key is initially generated at a single location and then distributed, resulting in a potential single point of failure. In contrast, TSS does not rely on a single dealer. Instead, key generation is distributed, ensuring the private key is never in a single location.

Second, in SSSS, the parties must reconstruct the full private key to sign, creating another potential single point of failure each time a signature is needed. TSS handles signing differently by executing it in a distributed manner without reconstructing the secret shares.

In summary, TSS ensures that the private key is never at a single location throughout its lifetime, while SSSS has a single point of failure during key generation and signing.

Threshold Wallets 

In contrast to traditional cryptocurrency wallets, a wallet based on TSS technology operates differently. Typically, a conventional wallet generates a seed phrase to derive addresses deterministically. The user can then use this hierarchical deterministic (HD) structure to reach private keys that correspond to wallet addresses and sign transactions, as well as recover all wallet keys using the seed phrase.

However, in a threshold wallet, things are more complex. Although it is possible to generate an HD structure, its generation must be computed in a distributed manner using another MPC protocol. The parties must jointly decide on the next key to be used, with each party having a seed phrase of its own. The seed phrases are generated separately and never combined so that one party alone can't derive the private keys from its seed.

TSS-based wallets offer a security feature allowing private key rotation without changing the corresponding public key and blockchain address. This feature, also known as proactive secret sharing, takes the secret shares as input and outputs a new set of secret shares. Old secret shares can be deleted, and new ones can be used in the same way.

This time-dimension security structure makes it difficult for an attacker to breach a threshold wallet. Combining secret shares before and after rotation provides no additional power to attackers who want to forge a signature.

However, a downside of this type of wallet is the lack of a seed phrase, making it incompatible with single-key wallet systems. It's essential to consider which parties will hold the secret shares. There are three possible architectures:

1. Outsourcing TSS: The user will let "n" servers run the computation on their behalf, effectively outsourcing the key generation, management, and signing to service providers. However, service providers could collude and steal the user's assets.
2. Using multiple devices: The user will run the TSS between their own devices, such as an IoT device, a mobile phone, and a laptop. However, this method can be cumbersome when conducting transactions.
3. Hybrid: TSS will run with some parties controlled by outside service providers and some parties on user-owned devices. This option offers an easy and fast way to conduct transactions without compromising security.

In summary, TSS technology adds a new level of security to cryptocurrency wallets, making them less susceptible to attacks. The hybrid approach is considered the best option for users as it provides a balance between convenience and security.

TSS and Smart Contracts 

Digital signatures have many uses that can be challenging. TSS is a cryptographic primitive that enhances security. TSS-based cryptography can substitute many functionalities in blockchains. Atomic swaps, inheritance, layer 2 scaling solutions, and decentralized applications can be built using the TSS framework, replacing expensive and hazardous on-chain smart contract operations with reliable and cheaper alternatives. Multi-Hop Locks, which use two-party signatures cleverly, can be a Bitcoin lightning network replacement for a secure and private payment channel network. ShareLock, which is based on verifying a single threshold signature, is probably the most cost-effective on-chain mixing solution for Ethereum.

Risks 

Despite the growing popularity of TSS implementations in recent years, the technology still has some limitations and concerns as a relatively new field. While TSS protocols can enhance security, they are also much more complex than classic public key cryptography and have yet to undergo rigorous testing. Additionally, TSS often requires weaker cryptographic assumptions than traditional setups, leading to the discovery of new attack vectors. However, security engineers and cryptographers can help ensure the safe deployment of TSS in your system. On a positive note, quality contributions, peer reviews, audits, and algorithmic performance improvements all contribute to stronger TSS implementations.

Conclusion

In conclusion, Threshold Signature Scheme is an innovative cryptographic technology that has the potential to bring a wide range of benefits, particularly in the realm of blockchain security. Its application in blockchain clients can revolutionize key management systems, such as crypto wallets, and even pave the way for native support in DeFi use cases. However, while TSS offers several advantages, it is still a new technology, and it is vital to consider its limitations and potential risks. Therefore, it is crucial to stay up to date on the latest developments and research in TSS to make informed decisions regarding its implementation.