This is the second blog in a series aimed at explaining the growing use of multi-party computation (MPC) and threshold signing to protect cryptocurrencies.
In the first blog post in this series, I described why key protection alone is not enough for protecting cryptocurrencies, and why the real problem that needs to be solved is protection against fraudulent key usage. I then described what secret sharing is, and how it can be used to enforce quorum authorization. I also explained why this is limited since as soon as the secret is reconstructed, it can be used for unauthorized transactions. In this blog post, I will explain what threshold signatures are and how they help in this context.
A digital signature scheme is a triple of algorithms: KeyGen, Sign and Verify.
- The KeyGen algorithm outputs a public/private key pair; the private key is used for signing and the public key is used for verifying signatures.
- The Sign algorithm takes a private key and message, and generates a signature.
- Finally, the Verify algorithm takes a public key, message and signature, and verifies that the signature is correct.
The security of a signature scheme guarantees that it is not feasible for an attacker (who doesn’t have the private key) to generate a signature on any message not signed by the honest party. Importantly, this means that it is not possible to make any change to a validly signed message, and to find a signature on that modified message that would be accepted. Thus, digital signatures protect the integrity of the entire message.
In a nutshell, a threshold signature scheme is a method that replaces the KeyGen and Sign algorithms of a digital signature scheme with an interactive protocol amongst multiple parties. The KeyGen protocol involves a set of n parties who interactively generate an m-out-of-n secret sharing of the key. Unlike standard secret sharing, this is not achieved by generating the key locally and sharing it amongst the parties. Rather, the key is generated directly in a shared manner, so that no subset of less than m parties has any information about the key.
Next, the Sign algorithm is replaced by an interactive protocol to generate a signature. The property of this Sign protocol is that if m parties agree on a message to sign, then they can generate a signature. However, no subset of smaller than m parties can generate a signature on a message, even if they participate simultaneously in other quorums signing on other messages.
It is important to stress that the Verify algorithm remains unchanged. This is another way of saying that the threshold signing protocol generates a standard signature of the same format as the original Sign algorithm. The only difference is that the generation is carried out interactively.
Securing cryptocurrency transactions with threshold signing
Since no subset of less than m parties can generate a signature that a full quorum has not approved, threshold signatures solve the problems described in the previous blog post. In particular, if a quorum agrees to sign on a transfer of sum of money to some entity, then even if some of the participants are malicious, they cannot transfer a different sum of money, or transfer it to someone else, or generate an additional transfer afterwards. Only transactions that are approved by a full quorum can be generated.
As described in the previous blog, it is possible to further generalize the quorum notion in threshold signatures beyond a single m-out-of-n set, to a formula of AND/OR operations over different threshold sets, adding further flexibility. (Note that if a full quorum becomes corrupted, then they can generate any signature they wish, since they have the authority to sign. Thus, the size and complexity of the quorum must be chosen appropriately for the risk involved.)
This approach provides a powerful method for defining who is allowed to carry out operations, and enforcing it cryptographically. In addition, the ability to define general quorums enables organizations to general digital workflows that mimic the custody and approval business processes that they are used to in the physical world for physical assets.
Finally, the flexibility provided by threshold signing for defining the quorum means that it’s possible to have different quorums for different amounts (e.g., small quorums for keys that protect smaller amounts of funds, and large quorums for keys that protect large amounts).
Secure multiparty computation (MPC)
MPC considers a general setting where parties compute a function together without revealing anything but the output. As such, the KeyGen and Sign protocols in threshold signature schemes are actually special cases of MPC.
Furthermore, some of the standards used today for cryptocurrencies, like BIP032 and BIP044 key derivation, require general MPC methods for carrying out these operations (e.g., hashing a key to derive another requires computing the hash on a shared value without the original key or derived key ever being exposed).
I will not go into how this is done in this blog post, but will just mention that all of these operations can be supported within threshold signing, primarily due to the generality of MPC as a technology.
Efficient threshold signature schemes
The primary signature scheme used for cryptocurrencies is ECDSA, with some also using EdDSA and Schnorr (where EdDSA is essentially the Schnorr signature scheme over a particular curve). Threshold cryptography in general, and threshold signature schemes in particular, were studied intensively in the late 90s and early 2000s. However, good solutions for ECDSA with a full threshold (meaning that m parties can sign, and any subset of less than m parties cannot sign) were not found at the time.
Recently, there has been a renewed interest in this problem, due to its importance in the cryptocurrency space. For those interested in researching the area, I am including a short bibliography below (the bibliography is not complete and includes the latest work only; see references within for prior work).
- Lindell. Fast Secure Two-Party ECDSA Signing. In CRYPTO 2017, Springer (LNCS 10402), pages 613-644, 2017.
- Doerner, Y. Kondi, E. Lee and a. shelat. Secure Two-party Threshold ECDSA from ECDSA Assumptions. In the IEEE S&P Symposium, pages 980-997, 2018.
- Lindell, A. Nof and S. Ranellucci. Fast Secure Multiparty ECDSA with Practical Distributed Key Generation and Applications to Cryptocurrency Custody. In the 25th ACM CCS, pages 1837-1854, 2018.
- Gennaro and S. Goldfeder. Fast Multiparty Threshold ECDSA with Fast Trustless Setup. In the 25th ACM CCS, pages 1179-1194, 2018.