# The Standard Threshold Signature Scheme

*We continue publishing articles on the principles of the threshold signature scheme. Previously we talked about **the standard digital signature scheme (DSS)**, covered the main ideas behind the elliptic curve theory and provided a brief overview of **the ECDSA algorithm**. In this article we will introduce the concept of a threshold signature.*

Earlier, we discussed DSS and its most common implementation ECDSA: tools that allow us to create individual signatures. Now letās figure out how a group of users can create signatures jointly. This problem is particularly relevant since this type of joint signatures offers the highest level of security, which is especially crucial in DeFi.

In general terms, the problem is stated as follows. There are *N* parties who want to establish a system where any *t* of them are able to jointly create signatures on behalf of the entire group, whereas any subset of fewer parties is not able to do so. The number *t*, in this case, is called a threshold, and the resulting signature is called a threshold one.

As we know, a secret key is what determines a signature. Thatās why the problem of creating a threshold signature comes down to the concept of a threshold secret sharing of a secret key. Namely, the secret key is divided into *N* parts, which are also called shares. Each party gets their own share and knows nothing about the other ones. Any *t* shares are enough to generate a joint signature on their basis. But any smaller amount of shares does not allow this to be done.

The crucial underlying property of such secret sharing is that any *t *shares are enough to simply derive the original key. But clearly, itās also its biggest weakness. Because a party who discovers at least *t-1* other shares will be able to extract the original key and subsequently create signatures on behalf of the entire group using the standard *Sig* algorithm from DSS. This is something undesirable; since, commonly, parties donāt trust each other. So itās essential for them to keep their shares secret.

As for the public key, thereās no need for any particular approach. Public keys are used to verify signatures. And it doesnāt matter to those who verify whether a signature is individual or threshold one.

Thus, the Standard Threshold Signature Scheme (TSS) is a set of two protocols *ThreshKeyGen* and *ThreshSig*. These are step-by-step instructions that allow parties to create a pair of keys in the first case and a threshold signature in the second. Since a public key and a signature produced by these protocols have the usual format, thereās no need for a specific verifying algorithm. That is any threshold signature can be verified using the standard *Ver* algorithm from DSS.

# The Threshold ECDSA protocol

Threshold ECDSA is a particular implementation of TSS, based on the ECDSA algorithm. So, just like ECDSA, this threshold version assumes a pre-generation of five domain parameters: a particular elliptic curve, a prime number *n*, a point *G* on the curve such that *n* is the order of *G*, and two other parameters related to modular arithmetic.

# Key generation with ThreshKeyGen protocol

As a result of this protocol, each party receives a unique secret share skįµ¢ of the secret key *sk* and a copy of the same public key *pk*. Together the shares

constitute a (*t, N*) ā threshold secret sharing of *sk*. That is, it is possible to derive the original key from any *t* these shares, but not from any smaller number of them.

At first, each party chooses a random number *u*įµ¢. The secret key *sk* is defined as a formal sum of these values:

We use the word āformalā because nobody knows all the numbers uįµ¢, and so nobody can actually calculate this sum.

As in the standard *KeyGen* algorithm from ECDSA, the public key *pk* is defined by the formula pk=sk ā G. Only now it is calculated by parts. Each party finds their own point Qįµ¢=uįµ¢ ā G on the curve for their own value of uįµ¢. Then parties send their points to each other. Having all the points

each party calculates *pk* using a special rule for elliptic curve points that we havenāt yet covered.

It may seem that everythingās done. However, the parts

of the key *sk* arenāt superb. They do not have the desired threshold property: itās impossible to derive the original key from any *t* of them because to do so you clearly have to know them all. Numbers *uįµ¢ *were just the necessary first step. They were needed to define the secret key *sk*. And now *sk* should be re-shared in a threshold way.

To make it happen, the parties use the additional protocol Feldmanās VSS (Feldmanās Verifiable Secret Sharing). This protocol consists of three steps:

- First, each party performs a (
*t, N*) ā threshold secret sharing of their value*uįµ¢*. Namely,*uįµ¢*is divided into*N*parts so that it can be restored from any*t*of them, but not from a smaller amount. - Next, each party keeps one share of
*uįµ¢*and sends the other*N-1*to the rest of the group: one share to each. - Finally, the parties check whether the shares they received are correct.

After these three steps each party will have *N* numbers. One was originally obtained during the first step. The rest *N ā 1* were received during the second step. Then each party obtains the final share *skįµ¢* of the secret key *sk* as the sum of these *N* numbers.

# Signature generation with ThreshSig protocol

The protocol *ThreshSig* assumes the participation of only *t* parties instead of *N*, since *t* parties are enough to generate a threshold signature successfully.

*ThreshSig* is a modified version of the standard *Sig* algorithm from ECDSA. The main difference is that now the signature is not calculated directly, but by parts.

Each party obtains a piece of the final signature using the unique share *skįµ¢ *of the secret key* sk*. Then these pieces are put together and the final signature (*r, s*) is calculated as their sum.

# References

Rosario Gennaro, Steven Goldfeder, āFast Multiparty Threshold ECDSA with Fast Trustless Setupā

**In our first three articles we introduced some of the main algorithms related to digital signatures. Now we are going to delve into these algorithms and analyze them using the proper mathematical tools. In our next article we will have a brief excursion into group theory.**