Chainlink’s announcement of threshold signatures was received with much applause for its cost reducing capability but with seemingly few outside the core cryptography space understanding how it actually works. Alex Coventry wrote an excellent article summarizing his work but for the non-mathematical among us, it could still be a bit too dense. So here I’m setting out to bring threshold signatures back into the discussion, but this time without heavy mathematical equations. It’s a difficult line to find in cryptography, that “just right” explanation, not steeped in equations but also not oversimplifying and just accepting some things as fact. Let’s try and walk this line here.

What do Chainlink’s Threshold Signatures accomplish?

They allow multiple data sources (oracles) to combine their data into a single transaction to reduce the cost enormously. This is similar to multisig contracts but rather than each party involved having to commit a signature on-chain with their private key, there is only ONE signature, from one off-chain group-constructed private key. This is where the huge cost savings come from since each Ethereum signature verification consumes gas.

How do they accomplish it?

Now we arrive at the meat and potatoes of the article!

A “secret generator” shares parts of a secret (a polynomial to be specific) with the nodes in the price feed. Since this secret sharing happens off-chain via a P2P network between oracles, there is no gas cost incurred. In practice there is no single “secret generator” but rather each node acts as the secret generator for the next, passing their secret part and public key along to the next node in an agreed upon order. The “secret” being shared is just the sum of each individual node’s contribution.

This secret sharing is such that it would take a certain number of nodes to collaborate to reconstruct the secret polynomial, the private key. This is a KEY concept (pun intended) of threshold signatures. It is this regeneration of a single private key from multiple parts that allows there to be only one signature. One key, one signature.

The specific method of reconstruction is known as polynomial interpolation and is an established mathematical construct dating back to the 1700s from greats such as Lagrange/Waring/Euler. You can think of this like how two points define a line. If two parties each have a point on the line, you can generate the correct line. If someone tries to share an incorrect point, however, the wrong line is generated. It’s this same concept but on a more complicated curve and rather than recreating a line, a private key is being recreated. If the wrong “line” (private key) is regenerated, it will be known to all because it will not produce a correct signature based on the public key all parties have.

Here you can see Polynomial Interpolation recreating increasingly complex curves from individual points. Source: http://mathworld.wolfram.com/LagrangeInterpolatingPolynomial.html

The more nodes, the more likely your data is reconstructed honestly. To continue with the line example, if you have three nodes each with a point on the line, you only need 2 out of 3 nodes to regenerate the line and so on with four nodes, etc.

There is also a second polynomial generated that is used in a similar fashion to “commit” the first polynomial as the official shared secret. This enables later verification of the secret polynomial in a similar fashion, reconstructing curves from partial data. Specifically this system is known as Pedersen commitment. At any point if the shared data cannot be reconstructed due to hostile participants, the non matching (not “on the line”) participants are removed and the cycle proceeds so long as the majority needed to reconstruct the data is honest.

At this point everyone has a private/public keypair that can be cross verified between nodes on the P2P network since they were recreated through the shared, committed pieces. They now sign their data with their portion of the private key as one would normally do with a keypair.

Specifically Schnorr signatures are used. This is important because Schnorr signatures have additive properties due to being linear unlike the common elliptical curve signatures. To visualize this, imagine trying to add two lines together and adding two complex curves together. Now try separating them back into their original curves. Yeah, not easy with the curves.

Now that every node has their data signed, they are added together into a single signature and committed to chain where it is then verified via your usual Schnorr verification with some additional optimizations to improve gas cost further. Once again, since it is all additive, if any one party had not generated the correct key or changed the data, the whole signature becomes invalidated and no longer matches the overall public key.

Thus we now have verifiable data from multiple sources grouped in one transaction with one signature. I hope it’s now clearer how we can use off-chain technologies to aggregate data while still maintaining the high standard of absolute data authenticity that is the goal of blockchain. There’s really three key concepts that enable this if you wish to dig further into the math. Polynomial interpolation, Pedersen commits, and linear signature schemes such as Schnorr.

Please go read Alex Coventry’s article on this if you liked what you read here and wish to learn more about the deeper specifics of how this is all accomplished: https://blog.chain.link/threshold-signatures-in-chainlink/

Follow me on Twitter if you wish to keep up with my Chainlink discussions: https://twitter.com/gammichan