Written by Cassandra Hart, Arch Afshar
Digital signatures are a core concept in blockchain and cryptocurrency. Modern block chains use digital signatures to secure billions of dollars of value. Digital signatures use what is known as a key pair, a pair of random values, with one key being a “private key” and the other a “public key”. With digital signatures, anyone with the “private key” can “sign” a transaction and exchange digital currencies. Therefore, it is necessary to protect the “private key”. Some tech-savvy blockchain users choose to protect this key themselves, accepting the risk of the key being stolen or lost (and thus losing their money). In contrast, other blockchain users trust online wallets or exchanges while protecting their keys. Of course, this decision comes with its own set of risks based on the competence of the third party.
In both options, the user puts all his trust in one entity, which may not be desirable. Login digital signature threshold: a solution that requires a “threshold” of at least two cooperating participants to produce a signature, which removes the problem of trusting a single entity. In this article we do the following:
- Provide an intuitive description of threshold signatures and their applications,
- Dig a little deeper and look at the various signature threshold schemes, and
- Compare threshold signatures with other technologies, such as Mulitsig wallets.
Intuition for threshold signatures
As a developer in the field of threshold cryptography, it’s really exciting to see these innovations become a mainstream topic, but readers who aren’t familiar with cryptography or the math behind it quickly run into snags when faced with phrases like “Paillier cipher system,” “symmetric cipher” or Galois Field. It becomes more complicated when all the moving parts behind it discuss to coordinate the communication, and as a result, very few organizations were willing to investigate its potential. But it doesn’t have to be scary. In the end, math is nothing more than multiplication and addition. So let’s ELI5: What is the threshold signature?
Figuratively speaking, signatures are like flying a kite on an invisible string. The kite itself is the public key – everyone can see it in the sky. The kite pilot moves the kite by manipulating the invisible string – the private key. The path she takes in the sky as she flies is the signature. Everyone saw the kite flying across the sky in this path, and only through the use of this invisible thread was this flight path possible. This seems really simplistic compared to basic math, but in the end this metaphor is useful to show the coordination and action required threshold Signing is possible.
Enter threshold cipher. The threshold hypothesis is literally in its name: some numerical values must be met for the process to be successful. Often these processes are defined using the phrase “t of n”, where n is the total number of potential participants, and t is the number of the limit that must be met. A common threshold cipher scheme that has been in use for some time is the Shamir Secret Sharing Scheme. For those unfamiliar, the process involved uses a mathematical technique called Lagrange interpolation to regroup the division values into a secret value. In the figurative world, he takes this invisible thread, separates it into individual threads that many people can stick to, and in order for the kite to fly, the number of people must come together and gather their threads in the thread again.
This process works well, and services around the world use it to secure confidential data. The downside is that everyone involved must go through this process in a safe place when the secret is unraveled and reunited. In cryptocurrencies, this also means that once the private key is recombined and used for signing, it must be considered exposed and all funds held by the key must be transferred, so if any participant who helped recombine the key walks away with it, they can’t do anything meaningful. This is expensive, not to mention that it requires a lot of coordination Persons. What if we could take the strong math behind cryptography and improve it so that no one ever meets somewhere safe?
The great news is that we can! There are mounds of literature emerging overnight with new approaches to existing cryptographic systems, improvements over previous systems, and completely groundbreaking cryptographic protocols. Navigating this area requires significant time and expertise, but here at Coinbase, we have found and implemented strategies that enable us to take advantage of these methods, and support new methods as they are discovered and peer reviewed. There are a lot of items involved in this process, so let’s bring it back to metaphor.
The process of preparing to finally get our kite flyers ready is the unique development that enables this whole process to work: every participant follows the same rule: they bring their own invisible string and piece of kite. Each pilot agrees with the others in advance how they will fly, and they all set out to run a piece of their kite at their agreed speed, angle, and time. If anyone strays from the agreed-upon flight plan, the whole tangled mess of kites will crash to the ground, but if all go as agreed, the kite takes off in one compact piece across the sky, capable of performing the flight as planned. When the flight is over, the parts fall apart in the air, and everyone goes home with their kite and string. No one ever carries the whole kite or thread, and each party sees the flight plan ahead of time to know that no one will attempt some wild antics that will allow them to get away with the kite.
Dive deeper into the threshold signatures
Now that we have an intuitive understanding of threshold signatures, let’s dive deeper into the concepts and terminology. Threshold signature schemas are part of A secure multi-party account (MPC) domain coding. The main objective of MPC is to enable the account on private data without disclosing it to anyone except the owner of the private data. For example, in the kite metaphor, the invisible parts of the thread are the secret shares of the private key and threshold signing uses these secret shares to reconstruct the private key and sign the transaction without exposing the compound private key, nor the secret shares.
A very important component of the threshold signature is a mathematical construct called elliptic curve coding. TL version; DR is that given `y = x G`, where `y` and `G` are publicly known values, it is very difficult or even impossible to find `x` in a reasonable time frame. There are several “curves” that offer this characteristic:
- Secp256k1, which is used in Bitcoin, Ethereum and many more
- Edwards25519, Which is used in Cardano, Monero and many more
- BLS12–381, which is used in Ethereum 2.0 and some other chains
Given a suitable elliptical curve, the next step towards a threshold signature is first to choose a standard digital signature scheme (that is, an individual signature). Common digital signature schemes are as follows:
- ECDSA, based on the Secp256k1 curve used by Bitcoin
- snorer, based on the Secp256k1 curve used by Bitcoin Cash and Mina
- Ed25519, based on the Edwards25519 curve used by Cardano
Finally, given the digital signature, we can now discuss threshold signature schemes. Threshold signature schemes start from the single site scheme and split the private key among the ‘number’ of participants. Then, at the signing stage, the t-out-of-n participants can run the signature algorithm to obtain the signature. Finally, any (external) party can verify the signature using the same algorithm to verify individual signatures. In other words, the signatures generated by the threshold signature and the single-signature systems are interchangeable. In a different way, the threshold signature algorithm consists of three stages.
- Create a public/private key pair. Next, split the private key into multiple secret shares and distribute these shares among the `n` parties. This stage can be performed in two modes.
- Authorized Distributor Mode: One trusted party generates the private key, then splits and distributes the keys. The main problem with this approach is that the trader will see the private key in plain text.
- Distributed Key Generation (DKG): The MPC protocol runs between ‘n’ participants so that participants eventually get the secret shares and no one will see the private key in plaintext at any point in the process.
- Gather a limit of participants and run the MPC protocol to sign the transaction.
- Verify the signature using the standard signature verification algorithm.
Threshold signature schemes are rapidly evolving. At the time of writing this post, safe and popular schemes include the following.
- FROST is a threshold signature and DKG protocol that provides minimal communication rounds and is safe to run in parallel. The FROST protocol is an initial version of the Schnorr signature scheme.
- DKLs18: It is a 2-of-2 threshold signature and the DKG protocol that provides fast signature computation for the ECDSA signature system.
Threshold and Multisig signatures
multisig, or multi-signature Schemes offer similar capabilities to threshold signatures with a difference: each participant has their own public key (rather than secret shares of a single public key). This small difference has a significant impact on the cost, speed, and availability of multisig on many blockchains.
- Efficiency: In threshold signature schemes, each public key and its corresponding private key arrows permanently belong to one fixed set of signers; In multiple signatures, each participant has a distinct and assigned public key. The benefit of this last system is that every participant can reuse Her main private-public husband to participate in several arbitrarily distinguished signature combinations. However, the cost of using multiple signatures is that the size of the “public key” (actually, a list of public keys) representing any given set must grow linearly in the number of members of that set. Likewise, it is clear that the time to verify multiple signatures must linearly grow in the size of the set, since the validator in particular must read the full list of public keys that represent the set. In threshold schemes, by contrast, a single public key represents the entire set, and the key size and validation time are constant.
- Availability: To ensure that the minimum ‘t’ is met, the blockchain must have native support for multiple signatures. In most cases, this support is in the form of a smart contract. As a result, not all blockchains support multisig wallets. In contrast, MPC-based threshold signatures are blockchain-independent as long as the signature scheme used by the blockchain contains a secure threshold version.
Threshold digital signatures enable us to do incredible things that were not previously possible in crypto – multi-signature contracts require additional costs to operate, but this can happen without a smart contract. This means that we can support an entirely new class of wallets: Where before that there were traditional custody wallets such as Coinbase offerings in many different ways, or self-custodial wallet options such as the Coinbase Wallet app, this ECDSA approach allows customers to be an active participant in this signing process. In this approach, the user keeps one share of the private key, while Coinbase keeps another, and only when they both agree to the journey plan can transactions be signed. This provides the security and confidence that Coinbase is known for, with the user remaining in control.
If you are interested in the latest encryption technology, Check out our open roles here.
Threshold Digital Signatures was originally posted on the Coinbase blog on Medium, where people continue the conversation by highlighting and responding to this story.