The Future of Digital Signatures to Protect Your Money Lies in Threshold Cryptography

September 22, 2020

Imagine you were such a modern person, that all your money was in cryptocurrency instead of in a traditional bank. If you have ever handled cryptocurrencies, you will know that they are usually managed through cryptocurrency wallet apps. Their mission is to facilitate the typical operations of making transactions and consulting balances, but they do not store cryptocurrencies. Above all, they have the crucial mission of signing with your private key. So basically, what is a cryptocurrency wallet? An interface to your private key!

Yes, that private key is like the keys to the Kingdom: it gives access to all your money. Anyone who knows it will be able to pick in your pockets. If you lose it, you will not be able to get your capital back. Therefore, you will have to protect it very well, and that is not an easy task! In this article, I will review traditional and new alternatives that are emerging to ensure the security of digital signatures.

Now, to avoid getting into mathematical detail, I will use a simple analogy throughout the article. Imagine that each cryptocurrency unit is protected inside a strong-box with a lock that can only be opened with the key of the owner of that cryptocurrency. Cryptocurrencies do not actually move between boxes but is always in its own strong-box. When you transfer coins from one to another, instead of sending them, what it actually happens is that you only swap the locks from one box to another. For example, when Alice transfers money to Bob, she only removes her lock from the box by opening it with her key and puts Bob's lock in its place. Bob can remove it later with his key and so on. Imagine that each person has an infinite number of locks, so that anyone can put anyone else's lock on a box, but only the owner of the lock can open it with his or her key. Got it?

Here we go!

Me, Myself and I: Duplicate of Keys

The simplest and most widespread solution to secure your key today is to make many copies of your key and store them in many different places, so you can be sure you won't lose them. The obvious problem is that the more copies you make of your key, the greater the chance that an attacker will get hold of one of them.

You could entrust copies of your key to other people, I'm sure your brother-in-law will offer to keep it for you. But if you think about it, the only thing you are doing is to move the problem. First, how much can you trust their honesty? Second, no matter how well intentioned he is, how much can you trust his good practices?

No, it seems like duplication it not a good idea after all.

Picture 1: Traditional strong-box: one lock, one keyPicture 1: Traditional strong-box: one lock, one key

Sharing Is Caring: Multisig

Another, more promising approach is to share responsibility for holding the key and unlocking the lock among several people. Instead of the box having a single lock, the new box will have several locks and each authorized person will receive a different key, each for their lock. From now on, several keys will be needed to open the various locks of the box. This is known as multi-signature or Multisig.

Multisig avoids the previous single point of failure because, by protecting the box with several locks, it will be more difficult to be compromised: one key is no longer enough, several are needed to open the box.

To make operations more flexible, M-of-N schemes are usually used: N locks are placed on the box with the peculiarity that to unlock it you only need to open M, where M is less than or equal to N. It is magic, isn’t it? For example:

  • Together with your partner you can use a 1-of-2 multisig so that either of you can open the box. If one loses the key, the other can still open the box. But if an attacker steals either key, he or she can also open it. And if your partner is a spendthrift, there is nothing to stop him/her from emptying the account!
  • With a 2-of-2 multisig, now both of you have to open the box. This protects you from each other and an attacker will have to steal both keys, as one key will not open the box. These Multisigs also work for multifactor authentication: you could have one key on your computer and another on your smartphone. Without access to both devices, the box will not open.
  • With 2-of-3 multisig, if you have a child, you can give him/her a key and the parents keep the other two. The child will need either of you to open the box, since with his or her key alone the box will not open.
  • With a 4-of-7 scheme, several people in a team or committee will have to cooperate to open the box. They are very suitable for deploying corporate policies.
  • And all the possible scenarios you can imagine.

The problem with Multisig is that it requires a larger box to accommodate several locks and also anyone passing by will notice unusual protection measures: "Hmm, what could it be inside? Let's track it down". On the other hand, the cost of transactions also increases because the information of each signatory must be added to the block chain.

Picture 2: Multisig strong-box: two locks, two keys
Picture 2: Multisig strong-box: two locks, two keys

Little by Little: Shamir's Secret Sharing Scheme (SSSS)

Here too, the responsibility for the custody of the keys and for opening the boxes is shared, but instead of creating several locks that are each opened with their own key, a single, normal lock is created and it is the key that is divided into parts that are given to each of the participants. In addition, the lock has a peculiarity: it can be opened with a number M of parts of the key lower than the total number N of parts into which it was divided when it was forged.

Technically, it uses what is known as Shamir's Secret Sharing Scheme (SSSS). Shamir's Secret Sharing Scheme is also used to operate M-de-N schemes, to make access more flexible, as with Multisig. The box now looks normal from the outside, as it is protected by a single lock.

The problem is that, before opening the box, the participants reconstruct the key by putting each part together. At this point, just as the key has been reconstructed, it becomes vulnerable of theft. On the other hand, in SSSS someone has to create the key first and then break it into small pieces and hand it out. There appears another window of opportunity for an attacker to steal the key before it is divided. Moreover, this third party must be trusted, because who can guarantee that he/she does not keep a copy of the whole key?

Picture 3: SSSS strong-box: one lock, one key divided in twoPicture 3: SSSS strong-box: one lock, one key divided in two

Signing on the threshold

And couldn't it be a single lock with multiple different keys? Doesn´t it exist some method that combines the best thing of Multisig with the virtues of SSSS? Yes, it does. They are called Threshold Signature Schemes (TSS), based on threshold cryptography, a sub-discipline of secure multi-part computing.

In the threshold signature scheme, each user creates their own key (which no one else knows) and then they get together to forge a completely normal looking lock. The trick is that this special lock can be opened when each of the N keys (or a subset M of them) turns the lock a little at a time, until they all manage to turn it completely around.

A big advantage of TSS is that the keys are never put together, so SSSS theft opportunity windows are avoided. Another additional security feature is "refreshing": every now and again, the keys are refreshed to prevent an attacker from stealing one by one of the N keys created and with the M's opening the lock. Another advantage of threshold signature is that keys can be revoked or new ones created without changing the lock, for those situations where new participants enter or leave the group, a typical situation in corporate environments.

As a counterpart, TSS requires all parties to be present when the lock is forged and opened, so this protocol cannot be executed asynchronously. It is also still very green, cryptographic proposals are still being made and there has even been a successful attack on one of the proposals.

Picture 4: TSS strong-box: one lock, two keysPicture 4: TSS strong-box: one lock, two keys

The Future in Digital Signatures Is Already Here

The discipline of threshold signatures is a recent field, with numerous proposals, still far from reaching the maturity of conventional signature schemes, such as ECDSA.

TSS is currently providing users with two-factor security for access to private keys or sharing the ability to sign between several devices so that a single compromised device does not put all your money at risk. In the case of companies, TSS makes it possible to implement access control policies that prevent both insiders and outsiders from stealing corporate funds.

Thanks to threshold signatures, the private key will no longer be a single flaw point.