Threshold Signature Scheme (TSS)

The process where multiple parties collaboratively generate a single public key and its corresponding secret key shares without any single party ever learning the full private key. This eliminates the single point of failure present in traditional key generation.

• No Trusted Dealer: The key is generated in a decentralized, trust-minimized manner.
• Verifiable Shares: Each participant can cryptographically verify their share is correct.
• Foundation for Security: This secure setup is critical for the entire scheme's resilience.

The mechanism where individual signature shares from a threshold of participants are combined into a single, valid cryptographic signature. This final signature is indistinguishable from one created by a single private key.

• On-Chain Efficiency: The blockchain only sees and verifies one compact signature, reducing gas costs and on-chain data.
• Standard-Compliant: The aggregated signature is a standard ECDSA or EdDSA signature, compatible with existing wallets and smart contracts.
• No Multi-Sig Overhead: Unlike traditional multi-signature schemes, there is no need for complex, custom smart contract logic to manage multiple signatures.

A security protocol that allows participants to periodically refresh their secret key shares without changing the underlying group public key or requiring a new Distributed Key Generation (DKG) ceremony.

• Mitigates Key Erosion: Protects against attackers slowly compromising shares over time.
• Maintains Availability: Enables the secure addition or removal of participants from the signing group.
• Forward Secrecy: Compromised old shares become useless after a refresh, limiting the impact of a breach.

The defining access structure where a transaction can only be signed if a pre-defined minimum number (m) of participants out of the total (n) collaborate. No smaller group can produce a valid signature.

• Flexible Policy: Configurable for different risk tolerances (e.g., 2-of-3 for a team, 5-of-9 for a DAO).
• Resilience & Liveness: The system remains operational even if up to n-m participants are offline or compromised.
• Security Guarantee: An attacker must compromise at least m distinct secret shares, which are never stored together.

TSS provides similar governance benefits to multi-sig but with distinct technical and operational advantages.

• On-Chain Footprint: TSS produces one signature, while multi-sig requires multiple signatures and complex contract logic, resulting in higher gas fees.
• Privacy: A TSS address appears as a standard single-signer address, obscuring the governance structure. Multi-sig contracts reveal the number of signers and their addresses on-chain.
• Atomicity: All TSS signers collaborate off-chain to produce one final action. In some multi-sig designs, approvals can be submitted individually over time, potentially leaving transactions partially signed.

TSS enables programmable asset recovery solutions. A user's key shares can be distributed among trusted friends, family, or legal entities. A predefined threshold can reconstruct the key only under specific, verifiable conditions (e.g., time-lock, proof of incapacity).

• Use Case: Acts as a decentralized alternative to paper seed phrases or will-based inheritance.
• Mechanism: Often combined with Shamir's Secret Sharing or timelock contracts.

TSS security is defined by a (t, n)-threshold model, where n is the total number of participants and t is the threshold required to sign. The system is secure if an adversary corrupts fewer than t parties.

• Byzantine Fault Tolerance: Assumes corrupted parties may act arbitrarily.
• Security Guarantee: The master private key remains secure, and unauthorized signatures are impossible, as long as the adversary controls < t shares. This model underpins the security of institutional custody solutions.

A primary security advantage of TSS is the removal of single points of failure inherent in traditional multi-signature (multisig) schemes and single-key storage.

• vs. Multisig: In blockchain multisig (e.g., 2-of-3), each private key is a complete secret; compromise of one key reduces security. In TSS, individual shares are useless alone.
• vs. HSMs: Removes the physical or logical attack surface of a centralized Hardware Security Module (HSM) holding the full key.

While robust, TSS implementations face specific attack vectors that must be mitigated.

• Rushing Attacks: An adversary broadcasts its signature share last, potentially biasing the result. Mitigated by using non-interactive signing protocols or committing to shares.
• Forgery Attacks: Theoretical attacks on certain elliptic curves. Mitigated by using secure curves (e.g., Ed25519, secp256k1) with proven security properties.
• Side-Channel Attacks: Timing or power analysis on devices generating shares. Mitigated by constant-time algorithms and secure enclaves.

TSS security relies on critical trust assumptions during the initial setup phase.

• Honest Majority Assumption: For DKG, it is typically assumed that a majority of participants are honest during the initial setup. A malicious majority can generate a biased key.
• Verifiable Secret Sharing (VSS): Protocols use VSS to allow participants to verify the validity of their received shares, preventing a single dealer from distributing inconsistent shares.
• Trusted Dealer Model: Some simpler TSS variants use a trusted dealer to distribute shares, reintroducing a single point of failure at setup.

Long-term security requires operational practices to manage proactive security and availability.

• Proactive Secret Sharing: Periodic key refresh protocols allow shareholders to compute new shares from old ones without changing the public key or revealing the master secret, limiting the exposure time of a compromised share.
• Share Backup & Recovery: Secure, offline storage of secret shares is required, but the threshold property means no single backup location holds decisive power.
• Network Requirements: Interactive signing requires secure, low-latency communication channels between parties to prevent denial-of-service attacks.