Threshold Signature Scheme

The process where multiple parties collaboratively create a shared public key and individual private key shares. No single entity ever knows the full private key, eliminating the single point of failure present in traditional multi-signature setups. This is a foundational ceremony that establishes the threshold parameters (e.g., 2-of-3).

Instead of collecting multiple full signatures, a threshold of participants (e.g., 2 out of 3) each creates a partial signature using their private share. These partial signatures are then cryptographically combined into a single, standard-looking signature (e.g., an ECDSA or EdDSA signature) that is valid for the group's shared public key. This results in:

• Smaller on-chain footprint (one signature vs. many)
• Lower verification cost for the blockchain

A security enhancement where private key shares are periodically refreshed or rotated without changing the underlying group public key or requiring a new DKG ceremony. This limits the impact of a potential share compromise over time, as an attacker would need to compromise shares from the same refresh period to reconstruct the key.

The core security guarantee. The master private key is never assembled in one location. It exists only as mathematical shares distributed among participants. This protects against:

• Insider threats (a single participant cannot steal funds)
• External attacks (compromising one device is insufficient)
• Key loss (the scheme can tolerate the loss of some shares)

While both provide distributed control, TSS differs fundamentally from on-chain multisig.

• On-chain Data: Multisig publishes all public keys and signatures. TSS produces one signature, enhancing privacy.
• Complexity & Cost: Multisig transactions are larger and more expensive to verify. TSS transactions are identical to single-sig.
• Cryptography: Multisig uses simple signature checks. TSS uses advanced Multi-Party Computation (MPC).

The security and availability model is defined by the (t, n) parameters, where n is the total number of participants and t is the threshold required to sign.

• 2-of-3: Balances security and availability for most wallets.
• 5-of-9: Used for high-value institutional custody.
• m-of-m: Equivalent to traditional multisig (all participants must sign). The choice involves a trade-off between liveness (ability to sign) and robustness (resistance to compromise).

A Threshold Signature Scheme (TSS) is a multi-party computation (MPC) protocol for digital signatures. It allows a group of n participants to generate a collective public key and sign transactions, but the signature can only be produced if a minimum threshold t of participants (where t ≤ n) collaborate. Crucially, the full private key is never assembled in one place, significantly reducing the attack surface compared to traditional multi-signature schemes or seed phrase storage.

TSS is a foundational technology for modern custodial and non-custodial wallet solutions. It eliminates single points of failure by distributing key shards across devices, geographies, or institutions. Examples include:

• Enterprise Custody: Fireblocks and Copper use TSS to secure institutional assets.
• Self-Custody Wallets: ZenGo wallet uses a 2-of-2 TSS between the user's device and its server network, removing the need for a seed phrase.
• Distributed Validator Technology (DVT): Protocols like Obol and SSV Network use TSS to split an Ethereum validator's signing key among multiple operators for fault tolerance.

Many cross-chain bridges rely on TSS for secure, decentralized custody of assets locked in a vault on the source chain. A committee of validators or signers, each holding a key shard, must reach the threshold to authorize a mint or release transaction on the destination chain. This design is used by bridges like THORChain (for its native swaps) and Multichain (in its earlier architecture) to manage assets across multiple blockchains without relying on a single trusted entity.

DAOs use TSS for secure treasury management. Instead of relying on a single multi-signature wallet where private keys are held in full by each signer, a TSS-based treasury can require a threshold of council members to collaboratively sign transactions. This enhances security (keys are never complete) and can improve privacy, as the individual signers and their partial signatures are not revealed on-chain, unlike in a standard n-of-m multisig contract.

While both provide distributed signing authority, they are fundamentally different.

• Multisig (e.g., Gnosis Safe): Uses multiple full private keys. Each signature is a separate on-chain transaction, revealing the signers and increasing gas costs. The contract logic enforces the threshold.
• Threshold Signature Scheme (TSS): Uses mathematical secret sharing. It produces a single, standard-looking signature on-chain, reducing gas fees and improving privacy. The threshold logic is executed off-chain cryptographically. TSS is generally more efficient but requires complex initial setup and ongoing communication between parties.

Development of TSS applications is supported by several open-source libraries and emerging standards.

• GG18/20: Foundational papers and protocols for threshold ECDSA signing, implemented by libraries like Multi-Party ECDSA from ZenGo and others.
• tss-lib: A popular Go implementation of threshold ECDSA and EdDSA.
• MPC-CMP: A standard for secure multi-party computation, including TSS, often used in regulated environments. These libraries provide the cryptographic backbone for wallets, custody services, and blockchain protocols building with TSS.

Threshold Signature Schemes are a specific application of Secure Multiparty Computation (MPC). MPC is a broader cryptographic technique that allows a group of parties to jointly compute a function over their private inputs without revealing those inputs to each other. In the context of TSS, the function is the generation of a digital signature.

• Key Principle: No single party ever has access to the complete private key.
• Foundation: TSS protocols use MPC to perform the cryptographic operations (e.g., ECDSA or EdDSA signing) in a distributed manner.

Shamir's Secret Sharing is a method for splitting a secret into multiple shares, but it is architecturally different from a Threshold Signature Scheme.

• Key Difference: SSS first creates a central secret (the private key), then splits it. TSS generates the key in a distributed manner from the start; a central secret never exists.
• Usage: SSS is often used for key custody (e.g., storing a backup). TSS is used for active signing without reconstructing the key.
• Security: Reconstructing the key from SSS shares creates a single point of failure, which TSS is designed to avoid.

A Threshold Signature Scheme is a distributed implementation of a standard digital signature algorithm. It produces a signature that is cryptographically identical to one from a single key.

• Common Standards: ECDSA (used by Bitcoin, Ethereum) and EdDSA (e.g., Ed25519) are the most common algorithms for which TSS protocols are built.
• Verification: The resulting signature is verified using the standard, single public key, making it compatible with existing blockchain networks and protocols.
• Goal: The TSS protocol performs the mathematical operations of the algorithm across multiple parties without any one party knowing the full key.

Distributed Key Generation is the initial, critical phase of a Threshold Signature Scheme. It is the MPC protocol used by participants to collaboratively create a shared public key and their individual secret shares, without a dealer or a central authority.

• Process: Each party contributes randomness. Through a series of cryptographic exchanges, they arrive at a consensus public key and their private key shares.
• Output: A single public key and n secret shares, where any t+1 shares can sign, but t or fewer cannot.
• Foundation: A secure DKG is essential for the security of the entire TSS, as it ensures the key is generated without a single point of compromise.

Robust Threshold Signature Schemes are designed to be Byzantine Fault Tolerant, a property crucial for decentralized systems.

• Definition: BFT means the protocol can reach correct consensus and produce a valid output even if some participants are malicious (Byzantine) or fail.
• In TSS: The threshold t is chosen so that the scheme can tolerate up to t malicious participants out of n. For example, a 2-of-3 scheme can tolerate one malicious party.
• Connection: This makes TSS ideal for consensus mechanisms and validator sets in blockchains, where a subset of nodes must sign blocks reliably despite faults.