Threshold Signatures

This article talks about

• signature schemes
• threshold signature schemes
• generating with a trusted dealer and DKG protocol
• applications
• case studies: Threshold ECDSA and BLS

1. Redundancy
2. Corruption Resilience

Applications of threshold signatures (generally wherever trusted signatures are needed):

• Cryptocurrency wallets
• Certificate authorities: The signing key of a CA is critical.
• Consensus validators: To make signatures compact.
• Code signing packages: Package managers signing packages and updates (App Stores, OS updates, etc.)

They say FROST [2]¹ is a simple example for EdDSA. FROST allows issuing Schnorr Signatures, therefore can easily do EdDSA signatures since it is a variant of Schnorr. Signing needs:

• two online rounds
• batch preprocessing + one online round

FROST protects against concurrency attacks that were not considered previously. FROST is not robust, i.e., there is no signature even if one signer fails. ROAST [3] is a wrapper protocol that can be used along with FROST to get a robust signature scheme. FROST has a IETF draft which is nearing completion.

As opposed to threshold EdDSA, we can generate threshold BLS signatures in a single non-interactive round. It is also robust.

Some applications use: two out of three (e.g., cryptocurrency wallets) Threshold signatures allows key rotation, i.e., changing the secret key shares while keeping the public key constant. This is not possible in a single party setting. Key rotation is also called proactive security.

NIST is trying to formalize existing threshold signature schemes. Post-quantum threshold signature scheme is an active area.