为什么一个密钥不应统治它们：面向大众的阈值签名

为什么一个密钥不应统治它们：面向大众的阈值签名
Why One Key Shouldn't Rule Them All: Threshold Signatures for the Rest of Us

原始链接: https://eric.mann.blog/why-one-key-shouldnt-rule-them-all-threshold-signatures-for-the-rest-of-us/

## 阈值签名：消除单点故障私钥是关键漏洞——一次泄露可能使所有相关安全失效。阈值签名提供了一种解决方案，即将私钥分割到多个参与者手中，需要定义好的“阈值”数量合作才能生成有效签名。这消除了单点故障，因为没有单个实体拥有完整的密钥。最近开发的DKLS23协议因其效率而受到关注。与依赖复杂同态加密的旧方法不同，DKLS23利用“隐秘传输”在仅需三轮通信的情况下实现签名——显著降低了延迟和实现复杂度。本质上，参与者生成密钥份额，并通过巧妙的交换创建部分签名，这些部分签名组合成标准的、可验证的ECDSA签名。验证过程与传统方法相同，这意味着现有基础设施可以无缝工作。 DKLS23在实际应用中非常实用，即使是在移动设备上，并且支持流行的曲线，如secp256k1。它已被Coinbase和Visa等公司使用，并且有开源、经过审计的实现可用，为传统的密钥管理提供了一种可靠的替代方案。这项技术从根本上改变了安全模型，使得密钥泄露造成的灾难性后果大大降低。

黑客新闻新的 | 过去的 | 评论 | 提问 | 展示 | 工作 | 提交登录为什么不应该让一个密钥统治所有密钥：面向大众的阈值签名 (mann.blog) 4 分，来自 eamann 2 小时前 | 隐藏 | 过去的 | 收藏 | 1 条评论帮助 bob1029 5 分钟前 [–] 文章确实提到了 HSM，但可能没有抓住它们的重点。> 服务器被攻破不再意味着密钥被攻破。正确使用 HSM 意味着即使私钥的所有者也不允许访问它。您在 HSM 的安全上下文中签署消息。密钥从不离开。如果系统配置正确，它将无法被攻破。回复指南 | 常见问题 | 列表 | API | 安全 | 法律 | 申请 YC | 联系搜索：

原文

I’ve spent a lot of time thinking about private keys.

Not in the abstract, academic sense. In the “I manage production systems and if this key leaks we’re finished” sense. Over the years I’ve rotated secrets, built key management policies, and watched colleagues accidentally commit credentials to public repositories. Every one of those experiences reinforced the same uncomfortable truth.

A private key is a single point of failure.

Cryptographic Signatures

If you’ve worked with ECDSA signatures — the kind that secure Bitcoin transactions, TLS certificates, and JWTs — you know the drill. One private key generates a signature. One private key, if compromised, invalidates everything that signature protects.

For most of us, the mitigation strategy is operational. We store keys in HSMs. We rotate them on schedules. We build access control policies and hope everyone follows them.

But what if the cryptography itself could eliminate the single point of failure?

That’s what threshold signatures do.

The Core Idea

A threshold signature scheme splits a private key across multiple parties so that no single party ever holds the complete secret. To produce a valid signature, a minimum number of those parties — the “threshold” — must cooperate.

The beautiful part: the resulting ECDSA signature is indistinguishable from a normal one. Verifiers don’t need to know or care that multiple parties were involved. The math just works.

This isn’t theoretical. Coinbase, Visa, and dozens of crypto wallet providers already use threshold ECDSA in production. The only question is practical: which protocol do we use?

Enter DKLS23

The protocol that’s been getting the most attention lately is DKLS23, named after its authors — Doerner, Kondi, Lee, and Shelat. Published in 2023 and presented at IEEE Oakland 2024, it represents a significant step forward from earlier approaches.

Here’s why it matters, in concrete terms.

Older threshold ECDSA protocols like GG18 and GG20 relied on homomorphic encryption — computationally expensive operations that required six or more rounds of communication between parties. DKLS23 replaces that with oblivious transfer, a simpler primitive that achieves the same goal in just three rounds.

Fewer rounds means less latency. Less latency means the protocol is practical even on mobile devices with unstable connections. The reduced complexity means fewer places for implementation bugs to hide. For a security protocol, that’s more than worth the tradeoff.

How It Works (Without the PhD)

Let me walk through a simplified 2-of-2 signing ceremony — the most common configuration.

Key generation: Party A and Party B each generate a random secret. Neither shares their secret with the other. Instead, they use a Diffie-Hellman-style exchange to compute a shared public key — a “phantom” key that corresponds to the sum of their secrets. No single party can reconstruct the private key from their share alone.

Signing: When it’s time to sign a message, each party generates a random nonce (a one-time random value). Through a clever sequence of oblivious transfers and what’s called multiplicative-to-additive share conversion, they each compute a partial signature. These partial signatures combine into a standard ECDSA signature — one that verifies against the phantom public key.

Verification: Anyone with the public key can verify the signature using standard ECDSA verification. OpenSSL, Go’s `crypto/ecdsa`, your browser’s TLS stack — they all work. The threshold ceremony is invisible to the verifier.

That’s the magic. Two parties, neither of whom holds the full key, can produce a signature that looks exactly like it came from a single signer.

Why Developers Should Care

If you’re building anything that manages private keys — authentication services, signing infrastructure, wallet software, certificate management — threshold signatures change your threat model.

A compromised server no longer means a compromised key. A stolen device doesn’t give an attacker signing authority. Even an insider with access to one key share can’t forge a signature alone.

With DKLS23 specifically, the performance overhead is low enough that you can run this on consumer hardware. The protocol works over secp256k1 (the same curve used by Bitcoin and Ethereum), so integration with existing ecosystems is straightforward.

I’ve been building a tool to make all of this visible — a terminal animation that walks through every step of a DKLS23 ceremony in real time, with real cryptographic values. More on that next time.

For now, the takeaway is simple: if your security model depends on keeping a single secret perfectly safe, there’s a better way.

To learn more about the low-level implementation of DKLS23, take a look at Silence Laboratories’ open source implementation. It’s written in Rust and fully audited by Trail of Bits – it’s ready for production use today!