Papers

Topics

Authors

Recent

View all

Assistant

AI Research Assistant

Well-researched responses based on relevant abstracts and paper content.

Custom Instructions Pro

Preferences or requirements that you'd like Emergent Mind to consider when generating responses.

Gemini 2.5 Flash

Gemini 2.5 Flash 73 tok/s

Gemini 2.5 Pro 57 tok/s Pro

GPT-5 Medium 26 tok/s Pro

GPT-5 High 24 tok/s Pro

GPT-4o 94 tok/s Pro

Kimi K2 198 tok/s Pro

GPT OSS 120B 454 tok/s Pro

Claude Sonnet 4.5 33 tok/s Pro

2000 character limit reached

Threshold Signature Scheme

Updated 3 October 2025

Threshold signature schemes are cryptographic primitives that enable any subset of t parties among n to securely generate digital signatures through secret sharing.
They employ distributed key generation and multiparty computation to combine partial signatures, ensuring unforgeability and robustness against adversarial attacks.
These schemes are widely used in blockchain, enterprise security, and privacy-preserving systems, offering scalable and resilient digital authorization.

A threshold signature scheme (TSS) is a cryptographic primitive enabling a set of $n$ parties to collectively generate a digital signature such that any coalition of at least $t$ parties can sign, but any group with fewer than $t$ parties cannot. Key material is shared among participants (typically via secret sharing), and only authorized subsets can collaboratively produce signatures verifiable in existing public-key frameworks. TSS protocols enhance robustness, distribute trust, increase key resilience, and serve as foundational tools in distributed, privacy-preserving, and accountable systems.

1. Foundations and Mathematical Structure

Threshold signature schemes generalize digital signatures by distributing signing authority through secret sharing. In typical schemes, a private signing key $x$ is split into shares $x_i$ among $n$ parties using Shamir’s secret sharing or related constructions. The core property is that any subset of at least $t$ out of $n$ shares suffices to reconstruct (or compute with) the signing key, while fewer shares provide no information about it.

For a threshold Schnorr signature, given group generator $g$ , message $m$ , and aggregate public key $X = g^x$ , the signers each generate nonces $r_i$ , commitments $R_i = g^{r_i}$ , and partial signatures $s_i$ ; the signature is computed as $(R, s=\sum s_i)$ with $R = \prod R_i$ and $c = H(X, R, m)$ . Lagrange interpolation coefficients

$\lambda_i = \prod_{j \in R,\,j \neq i} \frac{-j}{i-j}$

combine shares, ensuring threshold property for both key and nonce shares.

The hardness assumptions underpinning TSS vary by signature type: discrete logarithm (Schnorr), strong RSA and DDH (threshold ECDSA (Battagliola et al., 2020, Abdelrahman et al., 29 Jun 2025)), or Bilinear Diffie-HeLLMan in BLS/Boneh–Lynn–Shacham protocols (Sedghighadikolaei et al., 2023). Hash-based and lattice-based threshold signatures are relevant in the post-quantum setting, with protocols such as MIRA-Threshold based on the MinRank problem adapting MPC-in-the-Head zero-knowledge frameworks (Aragon et al., 2023).

2. Protocol Design: Key Generation and Signing

TSS protocols consist of two main phases: Distributed Key Generation (DKG) and Threshold Signing.

Distributed Key Generation

DKG protocols allow $n$ parties to jointly generate secret shares of the signing key without a trusted dealer, typically using verifiable secret sharing (VSS) alongside proofs-of-knowledge for each party’s input. For example, Feldman’s VSS is often employed, and in some ECDSA-based schemes, Paillier homomorphic encryption and non-malleable commitments are required to support robust multiparty computation and distributed recovery (Battagliola et al., 2020).

Threshold Signing

Signing is realized using distributed multiparty computation (MPC). In ECDSA-based schemes, signature nonces are generated collaboratively with multiparty multiplicative-to-additive conversions (MtA) using Paillier encryption (Battagliola et al., 2020), and the signature output matches the standard ECDSA format (i.e., $(r, s)$ where $r$ derives from an elliptic curve point and $s$ is the sum of partial signature shares). For protocols with offline recovery (Battagliola et al., 2020, Battagliola et al., 2020), encrypted recovery shares are distributed during the key-setup and can later reconstruct an absent share for resilience. In hash-based threshold sharing (Andrecut, 2023), signature keys are generated solely from bitstring concatenations and secure hash evaluations, yielding very low computational complexity.

Multi-level or collaborative schemes (Wang et al., 2013) allow participants to share shares across several threshold schemes by constructing polynomials with common crossover points, reducing storage overhead for overlapping access structures.

3. Security Properties and Adversarial Models

The primary security guarantees in threshold signature schemes encompass unforgeability, robustness, privacy (in advanced settings), and accountability.

Unforgeability: Even adaptive malicious adversaries controlling up to $t-1$ parties cannot generate signatures or gain information about the secret key (Battagliola et al., 2020, Battagliola et al., 2020, Faneela et al., 12 Mar 2025).
Robustness: Protocols are designed to withstand parties failing, going offline, or aborting (e.g., GG20 and CMP protocols feature anti-abort and abort-detection mechanisms) (Faneela et al., 12 Mar 2025, Abdelrahman et al., 29 Jun 2025).
Privacy/Anonymity: Some constructions offer signer anonymity (e.g., threshold ring signatures in vehicular ad hoc networks (Jiang, 2014)), support for non-transferable verification (bi-designated verifier schemes (0806.1377)), and hybrid privacy/accountability frameworks (DeTAPS, which shields threshold and quorum information unless tracing is invoked (Li et al., 2023)).
Accountability: Protocols such as TAPS and DeTAPS facilitate traceability by notarizing which quorum generated a signature, while dynamic tracing with decentralized notaries increases trust in complex deployments (Li et al., 2023).

Security proofs use reductions to the hardness of underlying group or field operations (Strong RSA, DDH, MinRank, etc.), and protocols typically employ zero-knowledge proofs and non-malleable commitments to ensure simulation soundness and to thwart adaptive adversaries.

4. Advanced Techniques and Variants

Recent research devises several advanced threshold signature schemes targeting emerging use cases and cryptographic paradigms.

Strong Bi-Designated Verifier Schemes: Protocols where delegation and thresholding are combined with restricted verification—only two designated parties (each using a secret) can verify signatures, with non-transferability even under collusion (0806.1377).
Interactive Threshold Ring Signatures: Employed for privacy-preserving aggregation in vehicular networks, using polynomial binding and a mix of genuine and forged signatures to ensure flexible anonymity and threshold authentication while preempting Sybil attacks (Jiang, 2014).
Dynamic and Multi-Stage Thresholding: Optimal threshold selection in security-availability trade-offs (e.g., Bitcoin scripts) is mathematically formalized: optimal static threshold is

$\tau^* = \sqrt{\frac{b-a}{ab}}$

where $a$ (usability parameter) and $b$ (security parameter) encode user and adversary control probabilities. For evolving risk profiles, dynamic schemes introduce stage-specific thresholds and time locks with optimal settings derived from continuous client and attacker loss functions (Ray et al., 29 Sep 2025).

Post-Quantum Threshold Designs: Protocols such as MIRA-Threshold adapt zero-knowledge proof-based schemes and low-threshold linear secret sharing to the MinRank problem, enabling quantum-resistant threshold signatures at the cost of moderate signature size increases (Aragon et al., 2023, Sedghighadikolaei et al., 2023).
Threshold Encryption with Dynamic Membership: Hidden multiplier-based schemes allow key distribution only once while enabling arbitrary chosen authorized coalitions and dynamic user management, which also generalize to collective threshold signature generation (Roman'kov, 2022).

5. Practical Applications and Performance Evaluation

Threshold signature schemes see adoption across critical applications:

Cryptocurrency Wallets and Blockchain: Multi-party wallets (e.g., Bitcoin, Ethereum) use TSS to secure assets without a single point of failure (Faneela et al., 12 Mar 2025, Sedghighadikolaei et al., 2023, Ray et al., 29 Sep 2025). Platforms such as Filia CBDC leverage threshold ECDSA protocols to secure central bank digital currencies (Abdelrahman et al., 29 Jun 2025).
Enterprise and Financial Systems: Distributed key management, asset custody with institutional grade security, and cross-organizational transaction signing benefit from TSS.
Internet of Things and Privacy-Preserving Systems: Lightweight TSS (e.g., one-round protocols like Glow20) are suitable for resource-constrained networks (Faneela et al., 12 Mar 2025), while threshold ring signatures enable privacy in vehicular networks (Jiang, 2014).
Accountability and Notarization: DeTAPS achieves distributed, dynamic, and auditable threshold signing for environments (e.g., consortium blockchain networks) needing privacy up to active authorized tracing (Li et al., 2023).

Performance benchmarks indicate a trade-off between the number of protocol rounds, computational complexity, and communication overhead. BLS-based TSS performs well in terms of compact signatures due to pairing-based cryptography, but construction costs are higher; ECDSA-based TSS (e.g., GG20, CGGMP21) remains dominant for compatibility and balanced efficiency (Faneela et al., 12 Mar 2025, Abdelrahman et al., 29 Jun 2025). Overhead from interactive proofs and communication is generally offset by pre-signing, key reuse, and round minimization techniques.

6. Efficiency, Scalability, and Future Directions

Optimization of information and randomness ratios in secret sharing is increasingly important for large-scale and multi-threshold deployments. Vandermonde matrix-based linear secret sharing achieves provably optimal share sizes (Wu et al., 2023), and collaborative polynomial-construction strategies can reduce memory and key management complexity in composite threshold systems (Wang et al., 2013). The adoption of weak secure conditions (where only individual secrets are hidden from unauthorized sets) permits lower overhead at a marginal reduction in overall secrecy.

Research priorities include:

Scaling threshold protocols for hundreds of participants with minimal latency in real-time systems (Abdelrahman et al., 29 Jun 2025, Faneela et al., 12 Mar 2025).
Integrating hybrid privacy-accountability features (e.g., TAPS, DeTAPS) for adaptive and auditable systems (Li et al., 2023).
Adapting TSS for post-quantum threats by exploring lattice, hash, or isogeny-based primitives (Sedghighadikolaei et al., 2023, Aragon et al., 2023).
Formalizing optimal threshold selection in the presence of changing usability and security dynamics (e.g., on-chain dynamic time locks in cryptocurrencies) (Ray et al., 29 Sep 2025).

Advances in secret sharing, efficient MPC protocols, and resilient protocol engineering are expected to underpin the next generation of threshold signature solutions for both practical systems (cryptocurrencies, CBDC, enterprise automation) and cryptographically advanced decentralized applications.