Threshold Signature

While both provide m-of-n security, TSS and Multisig differ fundamentally:

• On-chain vs. Off-chain Logic: Multisig logic (e.g., 2-of-3) is enforced by a smart contract on-chain. TSS logic is executed off-chain in the cryptographic protocol.
• Footprint & Cost: A TSS transaction appears as a single, standard signature on-chain, reducing gas fees and blockchain bloat. A multisig transaction requires multiple signatures on-chain.
• Privacy: TSS offers better privacy, as the existence and structure of the signing group are not revealed on the public ledger.

A malicious participant can manipulate the key generation phase by choosing their secret share based on others' public contributions, potentially allowing them to forge signatures alone. Mitigations include using non-interactive proofs of knowledge or verifiable secret sharing to ensure each party's share is valid and independent.

The signing protocol requires multiple rounds of peer-to-peer communication. This exposes the process to:

• Eavesdropping: Leaking partial signatures.
• Man-in-the-Middle (MITM) Attacks: Altering messages to produce invalid signatures.
• Denial-of-Service (DoS): Preventing participants from communicating, halting the protocol. Secure, authenticated channels (e.g., TLS) and message authentication codes (MACs) are essential.

While TSS eliminates a single private key, risk can concentrate elsewhere:

• Coordinator/Leader Node: If a single party coordinates the signing rounds, its compromise or failure can disrupt the system.
• Initial Key Generation Ceremony: This one-time event is a critical target; a breach here compromises the entire system permanently. Secure multi-party computation (MPC) rooms or trusted execution environments (TEEs) are often used.

Security relies on the underlying mathematical assumptions (e.g., Discrete Log hardness). Vulnerabilities include:

• Weak Randomness: Compromised random number generators during key/share creation.
• Protocol-Specific Bugs: Implementation errors in the complex multi-round signing logic.
• Adaptive Attacks: An adversary who corrupts parties sequentially based on information gained during the protocol.

TSS creates a tension between liveness (ability to sign) and safety (preventing invalid signatures).

• A malicious majority (≥ threshold) can always produce a valid signature, even for unauthorized transactions (safety failure).
• An honest but unavailable majority can prevent any signature from being produced (liveness failure). Network assumptions and participant reliability are critical.

Multisignature (Multisig): Requires multiple distinct signatures on-chain, increasing transparency but also cost and on-chain footprint. Shamir's Secret Sharing (SSS): Splits a key into shares but requires reconstructing the key in one location for signing, recreating a single point of failure. Distributed Key Generation (DKG): The secure protocol used in TSS to create the initial key shares without ever assembling the full private key.

Multi-Party Computation (MPC) is the foundational cryptographic framework that enables Threshold Signature Schemes. It allows a group of parties to jointly compute a function (like generating a signature) over their private inputs without revealing those inputs to each other.

• Key Property: No single party ever has access to the complete private key; it exists only as a secret-shared state.
• Contrast with Multisig: Unlike traditional blockchain multisig, which creates multiple signatures on-chain, MPC produces a single, standard-looking signature, improving privacy and reducing on-chain costs.

Secret Sharing is a method for distributing a secret (like a private key) among a group of participants. A threshold scheme, like Shamir's Secret Sharing, ensures the secret can only be reconstructed when a minimum number (t) of shares are combined.

• How it works: A secret is split into n shares. Any t of n shares can reconstruct it, but any group smaller than t learns nothing.
• Role in TSS: In advanced TSS, the private key is never reconstructed. Instead, participants use their secret shares to collaboratively perform signing operations, keeping the key material distributed and secure.

Distributed Key Generation (DKG) is a critical MPC protocol run by participants to collaboratively create a shared public key and corresponding secret shares without a central dealer.

• Eliminates Single Point of Failure: No single entity ever knows the full private key, not even during its creation.
• Process: Each party contributes randomness to generate a share of the key. The public key is computed from all contributions, while each party retains only their individual secret share. This is a foundational setup phase for many TSS implementations.

A Digital Signature Algorithm (DSA) is a standard cryptographic scheme (e.g., ECDSA, EdDSA) used to generate and verify signatures. TSS protocols are built to be compatible with these established standards.

• Standard-Compliant Output: A TSS for ECDSA produces a signature that is indistinguishable from one created by a single signer, ensuring broad compatibility with existing systems like Bitcoin and Ethereum.
• Complexity: Adapting algorithms like ECDSA for secure multi-party computation is mathematically complex, as the signing process must be broken down into secure sub-protocols without revealing the key.

Byzantine Fault Tolerance (BFT) is a property of a distributed system to reach consensus and function correctly even if some participants are malicious or faulty. TSS protocols must be designed with BFT in mind.

• Adversarial Model: A robust (t,n)-TSS can tolerate up to t-1 malicious participants who may deviate from the protocol. The scheme ensures they cannot forge a signature or learn the secret shares of honest parties.
• Security Guarantee: This makes TSS suitable for high-value, adversarial environments like blockchain custody, where signers may not fully trust each other.

While both provide multi-party security, they are architecturally distinct.

• On-Chain Multisig (e.g., Bitcoin Multisig, Safe): Uses multiple standard signatures. All signers and the threshold are visible on-chain, requiring more data and higher fees.
• TSS-Based Wallet: Generates a single signature. The signing group and threshold are private, off-chain details. This offers:
  • Privacy: Hides governance structure.
  • Efficiency: Lower transaction fees due to smaller on-chain footprint.
  • Interoperability: Appears as a standard single-signer address to the network.