为什么一个密钥不应统治它们：面向大众的阈值签名

为什么一个密钥不应统治它们：面向大众的阈值签名
Why One Key Shouldn't Rule Them All: Threshold Signatures for the Rest of Us

原始链接: https://eric.mann.blog/why-one-key-shouldnt-rule-them-all-threshold-signatures-for-the-rest-of-us/

## 阈值签名：消除单点故障私钥是关键漏洞——一次泄露可能使所有相关安全失效。阈值签名提供了一种解决方案，即将私钥分割到多个参与者手中，需要定义好的“阈值”数量合作才能生成有效签名。这消除了单点故障，因为没有单个实体拥有完整的密钥。最近开发的DKLS23协议因其效率而受到关注。与依赖复杂同态加密的旧方法不同，DKLS23利用“隐秘传输”在仅需三轮通信的情况下实现签名——显著降低了延迟和实现复杂度。本质上，参与者生成密钥份额，并通过巧妙的交换创建部分签名，这些部分签名组合成标准的、可验证的ECDSA签名。验证过程与传统方法相同，这意味着现有基础设施可以无缝工作。 DKLS23在实际应用中非常实用，即使是在移动设备上，并且支持流行的曲线，如secp256k1。它已被Coinbase和Visa等公司使用，并且有开源、经过审计的实现可用，为传统的密钥管理提供了一种可靠的替代方案。这项技术从根本上改变了安全模型，使得密钥泄露造成的灾难性后果大大降低。

## 阈值签名：Hacker News 讨论一篇关于阈值签名的博客文章在 Hacker News 上引发了争论，许多人批评其依赖人工智能生成的内容“粗制滥造”，缺乏深度和清晰度。阈值签名的核心思想（TSS）是将私钥分配给多个参与方，需要达到一定阈值（例如，5 个人中的 3 人）才能授权签名——从而增强安全性并防止单点故障。讨论集中在实际用例上。一些人认为它在去中心化治理或多方应用程序发布方面具有潜力，而另一些人则质疑它与硬件安全模块 (HSM) 等现有解决方案相比的实用性。人们对密钥管理（添加/删除参与者、更改法定人数）以及 TSS 是否比传统身份验证方法提供显著优势表示担忧。作者澄清 TSS 旨在减轻单个密钥持有者单方面行动的风险，提供“数学强制的双人规则”。然而，评论员指出 HSM 已经可以防止密钥访问，甚至包括所有者，并且 HSM 的物理泄露仍然是一种风险。最终，这场对话强调了对经过充分研究的解释以及清晰理解 TSS 相较于既定安全实践所提供的优势的需求。

原文

I’ve spent a lot of time thinking about private keys.

Not in the abstract, academic sense. In the “I manage production systems and if this key leaks we’re finished” sense. Over the years I’ve rotated secrets, built key management policies, and watched colleagues accidentally commit credentials to public repositories. Every one of those experiences reinforced the same uncomfortable truth.

A private key is a single point of failure.

Cryptographic Signatures

If you’ve worked with ECDSA signatures — the kind that secure Bitcoin transactions, TLS certificates, and JWTs — you know the drill. One private key generates a signature. One private key, if compromised, invalidates everything that signature protects.

For most of us, the mitigation strategy is operational. We store keys in HSMs. We rotate them on schedules. We build access control policies and hope everyone follows them.

But what if the cryptography itself could eliminate the single point of failure?

That’s what threshold signatures do.

The Core Idea

A threshold signature scheme splits a private key across multiple parties so that no single party ever holds the complete secret. To produce a valid signature, a minimum number of those parties — the “threshold” — must cooperate.

The beautiful part: the resulting ECDSA signature is indistinguishable from a normal one. Verifiers don’t need to know or care that multiple parties were involved. The math just works.

This isn’t theoretical. Coinbase, Visa, and dozens of crypto wallet providers already use threshold ECDSA in production. The only question is practical: which protocol do we use?

Enter DKLS23

The protocol that’s been getting the most attention lately is DKLS23, named after its authors — Doerner, Kondi, Lee, and Shelat. Published in 2023 and presented at IEEE Oakland 2024, it represents a significant step forward from earlier approaches.

Here’s why it matters, in concrete terms.

Older threshold ECDSA protocols like GG18 and GG20 relied on homomorphic encryption — computationally expensive operations that required six or more rounds of communication between parties. DKLS23 replaces that with oblivious transfer, a simpler primitive that achieves the same goal in just three rounds.

Fewer rounds means less latency. Less latency means the protocol is practical even on mobile devices with unstable connections. The reduced complexity means fewer places for implementation bugs to hide. For a security protocol, that’s more than worth the tradeoff.

How It Works (Without the PhD)

Let me walk through a simplified 2-of-2 signing ceremony — the most common configuration.

Key generation: Party A and Party B each generate a random secret. Neither shares their secret with the other. Instead, they use a Diffie-Hellman-style exchange to compute a shared public key — a “phantom” key that corresponds to the sum of their secrets. No single party can reconstruct the private key from their share alone.

Signing: When it’s time to sign a message, each party generates a random nonce (a one-time random value). Through a clever sequence of oblivious transfers and what’s called multiplicative-to-additive share conversion, they each compute a partial signature. These partial signatures combine into a standard ECDSA signature — one that verifies against the phantom public key.

Verification: Anyone with the public key can verify the signature using standard ECDSA verification. OpenSSL, Go’s `crypto/ecdsa`, your browser’s TLS stack — they all work. The threshold ceremony is invisible to the verifier.

That’s the magic. Two parties, neither of whom holds the full key, can produce a signature that looks exactly like it came from a single signer.

Why Developers Should Care

If you’re building anything that manages private keys — authentication services, signing infrastructure, wallet software, certificate management — threshold signatures change your threat model.

A compromised server no longer means a compromised key. A stolen device doesn’t give an attacker signing authority. Even an insider with access to one key share can’t forge a signature alone.

With DKLS23 specifically, the performance overhead is low enough that you can run this on consumer hardware. The protocol works over secp256k1 (the same curve used by Bitcoin and Ethereum), so integration with existing ecosystems is straightforward.

I’ve been building a tool to make all of this visible — a terminal animation that walks through every step of a DKLS23 ceremony in real time, with real cryptographic values. More on that next time.

For now, the takeaway is simple: if your security model depends on keeping a single secret perfectly safe, there’s a better way.

To learn more about the low-level implementation of DKLS23, take a look at Silence Laboratories’ open source implementation. It’s written in Rust and fully audited by Trail of Bits – it’s ready for production use today!