1 Introduction

Multi-party threshold cryptography (MPC) is a type of cryptography that enables secure computations to be performed jointly by multiple parties. It allows multiple parties to collaborate and perform sensitive operations such as decryption or signing without revealing their private keys. Threshold cryptography (TC) uses secret sharing to split secret information into pieces and distribute them among several parties. To perform a computation, a threshold of the parties must come together and combine their shares, creating a new piece of information. The minimum number of parties needed to perform the computation is called the threshold, which can be set in advance. TC can be used to protect privacy in cloud computing, secure financial transactions, and other sensitive applications where multiple parties are involved. It ensures that the secret information remains secure even if some of the parties involved are compromised, as long as the threshold is not reached.

2 Analysis

2.1 Definition

Cryptographic techniques, such as public-key encryption and digital signatures, are ubiquitous in today’s security infrastructures. However, recent years have seen a move towards building resilient distributed systems (such as blockchains [1]), which gain security by drawing on replication and redundancy and rely on multiple parties to operate. Threshold cryptography is the technology that lets such systems execute cryptographic operations. As no single party must store any secret material (such as the private key) because the party may leak when it is corrupted, the cryptographic operations must also be distributed.

In a threshold cryptosystem, the private key is typically distributed among the N parties that constitute the system using cryptographically secure secret sharing. Up to F of the parties might be faulty and leak their key shares, but \(F+1\) must cooperate in executing a cryptographic operation. From the outside, the cryptographic result (such as the digital signature or the decryption of a ciphertext) is the same as if the operation had been executed on a single party. It is crucial that the operation reveals nothing about the private key to the faulty parties and that it is robust. That is, it cannot be disrupted by faulty parties that may act maliciously. Threshold cryptosystems require at least \(N > 2*F\), which means that any minority of the parties could become corrupted.

Threshold cryptosystems have been developed for most public-key cryptosystems in use today. This includes digital signatures (RSA, DSA, ECDSA, BLS, and more), encryption (RSA, variants of ElGamal encryption, including pairing-based ones.), and coin-tossing for producing unbiased randomness. However, the efficiency of implementations differs widely depending on the mathematical structure of the underlying cryptosystem; for example, threshold implementations of BLS-based schemes are easy to build and relatively efficient, but the operations of DSA and ECDSA are challenging to distribute.

Particular focus must be placed on generating the private key held jointly by the parties. The simplest method would be to generate the key material on a single node, but this introduces more centralization than is generally accepted. The reason is that this node itself could become corrupted, contradicting the motto that no single party can be trusted. Protocols for distributed key generation (DKG) have therefore been developed. However, they are often more complex than the standard operation of the public-key schemes, and they require integration with a distributed communication platform.

Notably, threshold cryptosystems differ widely according to their needs for interaction among the parties. The most efficient schemes are non-interactive: when producing a digital signature, every party generates a “share” of such a signature and disseminates it. Upon receiving \(F+1\) such shares, every party can obtain the digital signature. Many other schemes, however, require multiple rounds of interaction among the parties and some steps in which they reach a consensus on which parties have been potentially faulty during the key-generation process. These are more difficult to implement and are not widely available or deployed today. A typical example from the latter category is DKG protocols: they require more than one rounds of communication and some “agreement” on which parties terminated the protocol correctly.

2.2 Trends

Threshold cryptosystems have been explored in the cryptographic literature and prototype systems exist for a long time, starting around 1990 [2]. However, they have only seen industrial applications in the last 10 years. This trend has resulted from the appeal of blockchain platforms, which have demonstrated the advantage of building secure, resilient systems from multiple and less trustworthy components. As a result, the system remains intact even if some components fail or become corrupted.

Most practical blockchain networks today do not support threshold cryptography for applications nor exploit it internally, although several have proposed using the technology. A notable exception is perhaps the Internet Computer (built by DFINITY, [3]), which uses threshold-cryptography schemes at its core. The reasons for this are manifold: Lack of cryptographic expertise among developers, no standards, and the complexity of implementations.

Nevertheless, the trend toward implementing and deploying threshold cryptosystems is clear and will accelerate. Most practical secure distributed platforms will be enhanced with this capability. Furthermore, several standardization efforts are underway: NIST in the United States has initiated an effort to standardize multi-party threshold cryptography [4], which is currently underway. The IETF/IRTF, through their Crypto Forum Research Group (CFRG), is also pushing the development and standardization of specific threshold cryptosystems for use on the Internet.

Most efforts until 2025 will come from the “blockchain ecosystem”, producing implementations that are available as open source. As a result, one may expect multiple libraries for specific platforms and generic services to become available.

The NIST effort has yet to gain much momentum. As a result, NIST is likely to focus on standardization first. Nevertheless, the field offers considerable complexity, ranging from data formats over protocol interactions to security aspects, like cryptographic parameters. This makes it unlikely that the effort will lead to concrete standards and widely available implementations until 2025. Nevertheless, over a longer time, this is likely to happen.

3 Consequences for Switzerland

3.1 Implementation Possibilities: Make or Buy

Cryptographic algorithms must be standardized globally, and their security needs broad public analysis. These processes are typically multi-year efforts driven by governmental or private-sector standardization agencies. The key players of the IT industry are often represented or participating actively in this development. Other active drivers are startups and smaller companies with deep expertise in the algorithms and their implementation that place a bet on the technology itself.

It is therefore expected that standards for threshold cryptography and the corresponding open-source implementations will also emerge without concrete steps taken by the Swiss government. Instead, cryptographic libraries suitable for standardized wide deployment will become available from public and commercial sources. To obtain the expertise necessary to autonomously build applications that rely on threshold cryptography and exploit it, investment and education will be needed. Switzerland is positioned well in this space since multiple universities (ETHZ, EPFL, University of Bern) and many private companies, especially in the blockchain environment, have deep expertise in the domain.

3.2 Variations and Recommendation

Like blockchain platforms, threshold cryptosystems realize secure applications from partially untrusted components. They exist in many forms, such the suitability for every concrete deployment has to be analyzed in detail. However, if used in a matching application scenario, they greatly enhance the security and resilience of the application.

It is recommended that Switzerland closely watches the development of threshold cryptography and invests moderately in it. In this sense, the technology seems related to post-quantum cryptography and its positioning; this is another area of active worldwide technology development in cryptography research. Switzerland is one of many active players in this field, but the technology still needs to be mature for industrial deployment, which merits a direct commercial investment.

4 Conclusion

For building secure distributed systems that can survive a partial corruption of their components, multi-party threshold cryptography plays an important role. It is related to secure multi-party computation because both use the same trust model, also found in many blockchain platforms. However, MPC systems are more general than threshold cryptosystems and may compute arbitrary functions, whereas threshold cryptosystems are limited to operations with cryptographic keys. In addition, MPC protocols are several orders of magnitude less efficient than the typical threshold cryptosystems. Therefore, threshold cryptosystems are expected to be deployed earlier than MPC-based systems.