TSSKit: Threshold Signature Scheme Toolkit
Table of Contents
- Description
- Types fo Schemes
- Options
- Conceptual Comparisons across Schemes
- Multi Signature vs Threshold Signature
- Codebases
- References
Description
TSSKit automatically selects the appropriate Threshold Signature Scheme based on a set of options required by the secret sharing needs of each application. This comprehensive list of options includes private key splitting, multisig detection, HD derivation, signer privacy, and signature size, etc.
TSSKit also generates a set of ready-to-use codebase/scripts that are optimized based on a set of specified parameters.
Welcome to create any number of pull requests to contribute more codebases that we've missed. BUIDL!
Active curators: yhuag and tina1998612
Active reviewers: ChenPoWei
Types fo Schemes
- Shamir's Secret Sharing (SSS)
- Threshold ECDSA
- Threshold Ed25519
- Schnorr Signatures
- BLS Signatures
Options
Option | Choice |
---|---|
Private Key Splitting | True / False |
Multi-signature Detection | True / False |
HD Derivation | True / False |
Weight | True / False |
Signer Privacy | True / False |
Signature Size | Linear Growth / Constant |
Key Generation Time | Linear Growth / Constant |
Key Generation Round | Value |
Key Generation Role | Single Party / DKG Scheme |
Verification Time | Strict / Relax |
Signing Time | Strict / Relax |
Signing Round | Value |
Curve | Curve Choice |
Free to create pull request to add more
Conceptual Comparisons across Schemes
t-ECDSA | t-Schnorr | Ed25519 | BLS | |
Variants | ||||
Has non-threshold variant | ✔︎ | ✔︎ | ✔︎ | ✘ |
Curve | ||||
Curve Family | Elliptic | Elliptic | Twisted Edwards | Pairing-friendly |
Signature | ||||
Size (bytes) | 71 - 75 | 64 | 64 | 33 |
Aggregation | X | Entire multi-sig | Entire multi-sig (variant) | Entire block |
Format | Pair | Pair | Pair | Single Curve Point |
Multisignature Differentiable | ✔︎ | ✘ | ✘ | N/A |
Signing | ||||
Time Complexity | High | Medium | Low | Low |
Interaction Rounds | Multiple | Two | Three | ✘ |
Verifying | ||||
Verification Targets | Separately | Aggregated | Batch / Single | Aggregated |
Time Complexity | Medium | Low | Low | High |
Block | ||||
Block Capacity Usage | Large | Medium | Medium | Small |
Block Content | Signature + Public Key + Data | Several Combined Signatures + Public Key + Data | Several Combined Signatures + Public Key + Data | One Aggregated Signature + Public Key + Data |
Randomness | ||||
Random Number Generator (k) | Deterministic | Strictly Dependent | Deterministic | Not Required |
New Randomness Consumption | Key Generation, Signing | Key Generation, Signing | Key Generation | Not Required |
Setup | ||||
Key Generation | DKG | DKG | DKG | Membership |
Key Storage | N/A | Merkle Tree (Verifying) | N/A | Pre-generate all the keys (Signing) |
Space Complexity | Low | High | Low | Positively correlated with the number of signing cycles |
Time Complexity | High | Medium | Low | High |
Time Bottleneck | The curve used for generating key public / private pairs | 1. The curve used for generating key public / private pairs 1. n and m for merkle tree | Random Number Generator | Takes time to generate membership keys |
Security | ||||
Hash Collision Resilience | Low | High | High | N/A |
Side-channel Attack Resilience | Low | High (variant) | High | High |
Other Possible Attacks | Secp112r1 Leakage Attacks, Weak RNG Attacks | Rogue Key Attacks | Single Fault Attacks | MOV Attacks, Rogue Key Attacks |
Hashing | ||||
Hash Output | Number | Number | Number | Curve Point |
Privacy | ||||
Public Key | Revealed | Hidden | N/A | N/A |
Multi Signature vs Threshold Signature
Multi-sig | Threshold-sig | |
---|---|---|
Relationship between (number of signers) and (signature length, generation time, verification time) | Scales linearly | Independent |
Reveal the identities of signers | Yes | No |
Signature verification | Use all public keys | Use a unique fixed public key |
Can do m-out-of-n signing | Yes | Yes |
Signature is composed of | Concatenation of ( description of the subgroup + regular signatures computed by each member’s secret key ) | Regular signatures computed by all members' aggregated private key |
Codebases
ECDSA
Javascript
- Bitchain (npm / non-threshold): https://github.com/bitchan/eccrypto
- Elliptic (npm / non-threshold): https://www.npmjs.com/package/elliptic
C++
- kmackay (non threshold): https://github.com/kmackay/micro-ecc
C
- esxgx (non threshold): https://github.com/esxgx/easy-ecc
- freifunk-gluon (non-threshold): https://github.com/freifunk-gluon/ecdsautils
Rust
- KZen: https://github.com/KZen-networks/multi-party-ecdsa
- Rust-bitcoin (non-threshold): https://github.com/rust-bitcoin/rust-secp256k1/
Go
Java
- TwoFactorBtc: https://github.com/citp/TwoFactorBtcWallet/tree/master/EcdsaTwoPartyThresholdSignature/src/main/java/threshold/mr04
Python
-
Fernandolobato: https://github.com/fernandolobato/ecc_verifiable_threshold_cryptosystem
-
AntonKueltz: https://github.com/AntonKueltz/fastecdsa
-
warner (non threshold): https://github.com/warner/python-ecdsa
-
SolCrypto (non-threshold): https://github.com/HarryR/solcrypto
Swift
- Sajjon (non-threshold): https://github.com/Sajjon/EllipticCurveKit
Schnorr
Javascript
-
guggero (non-threshold): https://github.com/guggero/bip-schnorr
C
-
openssh: https://github.com/metacloud/openssh/blob/master/schnorr.c
-
metalicjames: https://github.com/metalicjames/cschnorr
-
OkCupid: https://github.com/OkCupid/sfslite/blob/master/crypt/schnorr.C
Rust
Go
- hbakhtiyor (non-threshold): https://github.com/hbakhtiyor/schnorr
Java
Python
-
Vihu: https://github.com/vihu/schnorr-python/blob/master/naive.py
-
SolCrypto (non-threshold): https://github.com/HarryR/solcrypto
Ed25519
Javascript
-
Substack-Supercop-ref10: https://github.com/substack/ed25519-supercop
-
Ed25519 (npm): https://www.npmjs.com/package/ed25519
-
Ed25519-Supercop (npm): https://www.npmjs.com/package/ed25519-supercop
-
Ed25519-hap (npm): https://www.npmjs.com/package/ed25519-hap
-
Ed25519-hd-key: https://www.npmjs.com/package/ed25519-hd-key
-
Types (npm): https://www.npmjs.com/package/@types/ed25519
C++
-
Floodyberry: https://github.com/floodyberry/ed25519-donna
C
Rust
Go
-
Dcrd: https://github.com/decred/dcrd/blob/master/dcrec/edwards/ecdsa.go
-
Agl: https://github.com/agl/ed25519/blob/master/edwards25519/edwards25519.go
-
Golang: https://github.com/golang/crypto/tree/master/ed25519
Java
-
Crypto-rb: https://github.com/crypto-rb/ed25519
Python
-
warner (non threshold): https://github.com/warner/python-ed25519
-
official pip: https://pypi.org/project/ed25519/
BLS
Javascript
-
Difnity (npm): https://github.com/dfinity/js-bls-lib
-
Kfichter: https://github.com/kfichter/solidity-bls
-
bls-signatures (npm): https://www.npmjs.com/package/bls-signatures
TypeScript
- ChainSafe: https://github.com/ChainSafe/bls-js
C++
-
Herumi: https://github.com/herumi/bls
-
Leishman: https://github.com/leishman/bls_lib
C
- Chia Network: https://github.com/Chia-Network/bls-signatures
Rust
Go
-
Prysmaticlabs: https://github.com/prysmaticlabs/go-bls
Python
-
Asonnino: https://github.com/asonnino/bls
-
bls-lib doc: https://bls-lib.readthedocs.io/en/latest/
References
-
Alternative Signatures Schemes: https://blockchainatberkeley.blog/alternative-signatures-schemes-14a563d9d562
-
Multisig vs SSS vs Threshold signature (with graph illustration): https://www.kzencorp.com/post/threshold-signatures-private-key-the-next-generation
-
How Schnorr signatures may improve Bitcoin: https://medium.com/cryptoadvance/how-schnorr-signatures-may-improve-bitcoin-91655bcb4744
-
BLS signatures: better than Schnorr: https://medium.com/cryptoadvance/bls-signatures-better-than-schnorr-5a7fe30ea716
-
ECDSA is not that bad: two-party signing without Schnorr or BLS: https://medium.com/cryptoadvance/ecdsa-is-not-that-bad-two-party-signing-without-schnorr-or-bls-1941806ec36f
-
Generator Point: https://crypto.stackexchange.com/questions/53321/what-are-the-coordinates-of-a-generator-point
-
Elliptic Curve Cryptography: https://eng.paxos.com/blockchain-101-elliptic-curve-cryptography
-
Why Schnorr signatures will help solve 2 of Bitcoin’s biggest problems today: https://medium.com/@SDWouters/why-schnorr-signatures-will-help-solve-2-of-bitcoins-biggest-problems-today-9b7718e7861c
-
Schnorr Signatures & The Inevitability of Privacy in Bitcoin: https://medium.com/digitalassetresearch/schnorr-signatures-the-inevitability-of-privacy-in-bitcoin-b2f45a1f7287
-
ECDSA: https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet/
-
ed25519: https://ed25519.cr.yp.to/
-
choice of curve affects key size: https://stackoverflow.com/questions/6665353/is-there-a-standardized-fixed-length-encoding-for-ec-public-keys
-
SafeCurves: http://safecurves.cr.yp.to/ladder.html
-
Curve Comparisons: http://safecurves.cr.yp.to/index.html
-
min key size recommendation website: https://www.keylength.com/en/4/
-
Why are key lengths in asymmetric algorithms typically longer than key lengths in symmetric algorithms?: https://crypto.stackexchange.com/questions/46852/why-are-key-lengths-in-asymmetric-algorithms-typically-longer-than-key-lengths-i
-
Elliptic curve Schnorr-based signatures in Bitcoin: https://diyhpl.us/wiki/transcripts/scalingbitcoin/milan/schnorr-signatures/
-
Ed25519 Signature 2018: https://w3c-dvcg.github.io/lds-ed25519-2018/
-
Aggregated Ed25519 Signature: https://github.com/KZen-networks/multi-party-eddsa/wiki/Aggregated-Ed25519-Signatures#aggregated-ed25519-signature
-
Schnorr signatures: https://diyhpl.us/wiki/transcripts/scalingbitcoin/milan/schnorr-signatures/
-
BLS: Is it really that slow?: https://blog.dash.org/bls-is-it-really-that-slow-4ca8c1fcd38e
-
Hash Function Requirementsfor Schnorr Signatures: http://www.neven.org/papers/schnorr.pdf
-
A conversation with Dan Boneh: https://diyhpl.us/wiki/transcripts/2016-july-bitcoin-developers-miners-meeting/dan-boneh/
-
ecdsa attack: https://crypto.stackexchange.com/questions/55876/is-there-any-ecdsa-attack-if-i-have-millions-of-signatures
-
A Leakage-Resilient Pairing-Based Variant of the Schnorr Signature Scheme: https://link.springer.com/chapter/10.1007/978-3-642-45239-0_11
-
Bitcoin Stackexchange: https://bitcoin.stackexchange.com/questions/50836/multi-signature-public-key-validation
-
Fast Multiparty Threshold ECDSA with Fast Trustless Setup: https://www.iacr.org/archive/pkc2003/25670031/25670031.pdf