Threshold signature schemes enable sharing signing power amongst n parties such that any subset of t + 1 can jointly sign, but any smaller subset cannot.



## Model, Deﬁnitions and Tools

### **Communication Model**

We assume that our computation model is composed of a set of $n$ players $P_1,\cdots, P_n$ connected by a complete network of point-to-point channels and a broadcast channel.

### **The Adversary**

We assume that an adversary, $A$, can corrupt up to $t$ of the $n$ players in the network. $A$ learns all the information stored at the corrupted nodes, and hears all the broadcasted messages. We consider two type of adver saries:

### **Signature Scheme**

A signature scheme $S$ is a triple of eﬃcient randomized algorithms $(Key-Gen, Sig, Ver)$.

* **Key-Gen** is the key generator algorithm.

    on input the security parameter $1^\lambda$ , it outputs a pair $(y, x)$, such that $y$ is the public key and $x$ is the secret key of the signature scheme.

* **Sig** is the signing algorithm: 

    on input a message m and the secret key $x$, it outputs $sig$, a signature of the message $m$. 

    Since $Sig$ can be a randomized algorithm there might be several valid signatures $sig$ of a message $m$ under the key $x$; with $Sig(m, x)$ we will denote the set of such signatures

* **Ver** is the veriﬁcation algorithm.
    
    On input a message $m$, the public key $y$, and a string $sig$, it checks whether $sig$ is a proper signature of $m$, i.e. if $sig \in Sig(m, x)$.

### Threshold secret sharing

Given a secret value $x$ we say that the values $(x_1 , \cdots , x_n)$ constitute a $(t, n)$-threshold secret sharing of $x$ if $t$ (or less) of these values reveal no information about $x$, and if there is an eﬃcient algorithm that outputs $x$ having $t + 1$ of the values $x_i$ as inputs.

### Threshold signature schemes.

Let $S=(Key-Gen, Sig, Ver)$ be a signature scheme. A $(t, n)$-threshold signature scheme $TS$ for $S$ is a pair of protocols $(Thresh-Key-Gen, Thresh-Sig)$ for the set of players $P_1 , \cdots, P_n$ .

* **Thresh-Key-Gen** is a distributed key generation protocol used by the players to jointly generate a pair $(y, x)$ of public/private keys on input a security parameter $1^\lambda$ .

* **Thresh-Sig** is the distributed signature protocol. The private input of $P_i$ is the value $x_i$ . The public inputs consist of a message m and the public key $y$. The output of the protocol is a value $sig \in Sig(m, x)$.

In [4]:
from klefki.types.algebra.concrete import (
    EllipticCurveGroupSecp256k1 as ECG,
    EllipticCurveCyclicSubgroupSecp256k1 as CG,
    FiniteFieldSecp256k1 as F,
    FiniteFieldCyclicSecp256k1 as CF
)

from operator import add
G = CG.G
N = CG.N

import random

random_f = lambda: CF(random.randint(1, N) % CF.P)
from klefki.numbers import lcm

Threshold signatures, the situation is a bit different because we only have one public key, one secret key, and only one signature. 

### Additively homomorphic encryption

$$
\alpha +_E \beta = E(\alpha + \beta \ mod\ N)
$$

$$
x\times_E \alpha = E(x\alpha \ mod \ N)
$$

$$
\oplus_{i=1}^{t+1}a_i = a_1 +_E a_2 +_E \cdots +_E a_{t+1}
$$

#### Paillier's encryption Scheme

## Protocol

### Setup Phase

In [None]:
from functools import partial

from klefki.zkp.pedersen import commitment

H = G^random_f()
r = random_f()

com = partial(commitment, G=G, H=H, r=r)

In [None]:
com(CF(2)) + com(CF(3)) == com(CF(5), r=r*CF(2))

### Round 1

In [None]:
p = random_f()
u = G@p + H@r

## Ref:

* Antonio Salazar Cardozo, Threshold ECDSA — Safer, more private multi-signatures, https://blog.keep.network/threshold-ecdsa-safer-more-private-multi-signatures-51153f3e9ed2

* Gennaro, Rosario, Steven Goldfeder, and Arvind Narayanan. “Threshold-Optimal DSA/ECDSA Signatures and an Application to Bitcoin Wallet Security.” In Applied Cryptography and Network Security, edited by Mark Manulis, Ahmad-Reza Sadeghi, and Steve Schneider, 9696:156–74. Cham: Springer International Publishing, 2016. https://doi.org/10.1007/978-3-319-39555-5_9.
