Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Hierarchical Threshold Signature Scheme

Apache licensed Go Report Card Build Status codecov


This is Hierarchical Threshold Signature Scheme (HTSS) worked by AMIS. Comparing to Threshold Signature Scheme (TSS), shares in this scheme are allowed to have different ranks.

The main merit of HTSS is vertical access control such that it has "partial accountability”. Although TSS achieves joint control to disperse risk among the participants, the level of all shares are equal. It is impossible to distinguish which share getting involved in an unexpected signature. TSS is not like the multi-signature scheme as the signature is signed by distinct private keys in multi-signature scheme. It is because Shamir’s secret sharing only supports horizontal access control.

For example, an important contract not only requires enough signatures, but also needs to be signed by a manager. Despite the fact that vertical access control can be realized on the application layer and tracked by an audit log. Once a hack happens, we will have no idea about who to blame for. However, in HTSS framework, through assigning different ranks of each share induces that any valid signature generated includes the share of the manager.

HTSS has been developed by Tassa and other researchers many years ago. In our implementation, we setup up this theory on TSS(i.e. just replace Lagrange Interpolation to Birkhoff Interpolation).

Now, Alice supports two parts:

Audited Part :


  1. HTSS(A variant of GG18 and CCLST).
  2. HTSS(A variant of CGGMP).


  1. HTSS(A variant of FROST).

Preparation :

  1. 2-party Bip32.

Audit Report:

Alice has been audited by Kudelski Security.

  1. (GG18 And CCLST) The details can be found in here.

    Algorithm: The algorithms can be downloaded in here.

  2. (FROST And CGGMP) The details can be found in here.

    Algorithm: The algorithms can be downloaded in here.


Although the fist part of Alice has been audited, you should still be careful to use it.

  1. Using end-to-end encryption to transfer messages between two parties is necessary.
  2. If any error messages occur during execution Alice, you should stop and restart it. Never restart in the middle flow.
  3. Now, the version of our GG18 is secure according to Theorem 2 in the GG18. We follow the suggestion of GG18 to substitute sMTA for mta and mta with check.

If you have more questions, you can connect us directly without any hesitation.

Our product

Wallet: Qubic

The Explanation of Packages

  1. binaryfield: support some basic operation of binary fields.
  2. binaryquadratic: support operations ideal class groups of quadratic imaginary fields over the rational number Q (
  3. bip32: support two-party computation of BIP32.
  4. birkhoffinterpolation: support the birkhoff interpolation (i.e. a generization of Lagrange interpolation).
  5. circuit: support the loading of bristol fashion and garbling circuit (ref. Two Halves Make a Whole: Reducing Data Transfer in Garbled Circuits using Half Gates).
  6. commitment: support Section 2.4: hash commitment, Section 2.6:Feldman’s VSS parotocol, and Pedersen Commitment.
  7. dbnssystem: write a positive integer to be The Double-Base Number expression.
  8. ecpointgrouplaw: an interface of group operations of elliptic curve groups.
  9. elliptic: support groups of of elliptic curve groups.
  10. homo: support additive homomorphic encryptions: Castagnos and Laguillaumie homomorphic Scheme and Paillier homomorphic cryptosystem.
  11. matrix: support some operations of matrices over finite fields.
  12. mta: the special package used in the sign algorithm of ECDSA.
  13. oprf: support a hash function mapping to the points of secp256k1. (ref. Shallue-van de Woestijne Method: Hashing to Elliptic Curves)
  14. ot: support an Oblivious transfer protocol (ref. our implementation: Blazing Fast OT for Three-round UC OT Extension).
  15. polynomial: support some operations of polynomials over finite fields.
  16. tss: support ECDSA: GG18, CCLST, and CGGMP. And EdDSA: FROST.
  17. utils: support some commonly used functions.
  18. zkrpoof: support some zero knowledge proofs e.x. Schnorr's proof, factorization proof and so on.


Thanks to

  1. Filipe Casal from Trail of Bits for indicating the potential issues of integer factorization proof.
  2. Coinbase Developer grant