by

Today we are pleased to release our paper presenting a new ECDSA threshold signature scheme that is particularly well-suited for securing Bitcoin wallets. We teamed up with cryptographer Rosario Gennaro to build this scheme. Threshold signatures can be thought of as “stealth multi-signatures.”

Previously, I motivated the need for threshold signatures to increase Bitcoin wallet security. For individuals, threshold signatures allow for two-factor security, or the ability to split signing control between two devices so that a single compromised device won’t put your money at risk. For businesses, threshold signatures allow for the realization of access control policies that prevent both insiders and outsiders from stealing corporate funds. As I mentioned previously, and as discussed at length in our paper, Bitcoin’s built in multisignatures are insufficient as they have serious anonymity and confidentiality drawbacks.

I also discussed why building a threshold signature scheme that is compatible with the ECDSA signature scheme used by Bitcoin is so difficult. Our previous work presented a toolbox of options, none of which is perfect but which we believed were a useful starting point. Since that post, we had discussions with businesses that want to implement our techniques, and it turned out that they wanted the best-of-both-worlds properties from the crypto. In particular, they wanted a scheme that required no trusted precomputation, and in which they could realize a t-of-n access control for any t <= n.

These discussions motivated us to go back to the drawing board and see if we could build a scheme that fit the need of these businesses. We realized that we could generalize a well-known 2-out-of-2 signature scheme of Mackenzie and Reiter to an n-of-n threshold signature scheme. Once we have an n-of-n scheme, we could combinatorially build an t-of-n scheme. We present the entire scheme in our paper together with applications, and we demonstrate how this scheme meets the security needs of Bitcoin based businesses and exchanges.

We are confident that threshold signatures are an essential component to improving Bitcoin security without compromising on confidentiality and anonymity. To jumpstart the process of bringing our techniques to use, we have also built a prototype implementation of a two-factor secure wallet. We built a desktop client by modifying Multibit as well as an Android app. A user initiates a transaction on the computer, and the computer then begins the threshold signing protocol with the phone. The phone will show the user the transaction details and will only proceed with the transaction with the user’s explicit approval. The computer and phone use QR codes to initially pair and for all subsequent sessions they communicate over the local Wifi network. This video shows how it all works:

We have released the code for our two-factor implementation, and we welcome community involvement to bring our prototype implementation to production quality as well as to build a reference implementation of our multiparty protocol.