in ,

getamis / alice, Hacker News

getamis / alice, Hacker News



This is Hierarchical Threshold Signature Scheme (HTSS) worked by (AMIS) . Comparing to Threshold Signature Scheme (TSS), shares in this scheme are allowed to have different ranks.

The main merit of HTSS is vertical access control such that it has “partial accountability”. Although TSS achieves joint control to disperse risk among the participants, the level of all shares are equal. It is impossible to distinguish which share getting involved in an unexpected signature. TSS is not like the multi-signature scheme as the signature is signed by distinct private keys in multi-signature scheme. It is because Shamir’s secret sharing only supports horizontal access control.

For example, an important contract not only requires enough signatures, but also needs to be signed by a manager. Despite the fact that vertical access control can be realized on the application layer and tracked by an audit log. Once a hack happens, we will have no idea about who to blame for. However, in HTSS framework, through assigning different ranks of each share induces that any valid signature generated includes the share of the manager.

HTSS has been developed by (Tassa

and other researchers many years ago. In our implementation, we setup up this theory on TSS (i.e. Just replace Lagrange Interpolation to Birkhoff Interpolation). Meanwhile, our protocol of sign (ie GG and CCLST 40 can support two homomorphic encryptions which are Paillier and CL scheme.

This code will be audited soon.

One of references of HTSS is A Hierarchical Threshold Signature

or See Example


Table of Contents: Implementations

(DKG) Signer (GG)

CCLST (Reshare ) Usage (Peer) (DKG) (Signer) (Reshare) Examples Standard threshold signature DKG (Signer) Hierarchical threshold signature DKG (Signer) Benchmarks (GG) CCLST

Appendix Security levels of two homomorphic schemes Useful Cryptography Libraries References Other Libraries Implementations:

Like the classical TSS, HTSS also contains three protocols: Signer: Signing for using the secret shares to generate a signature .



  • After perform the progress of DKG, each participant will get ( x-coordinate, share, rank). Assume that the threshold is 3. Therefore, any three shares (x-coordinate, rank): (x1, n1), (x2, n2), (x3, n3) with n1


    Let threshold=3, and participants=4. Assume that the corresponding rank of each shareholder are 0, 1, 1, 2. Then authorized sets in this setting are

    (0, 1, 1)

  • GG 55: .

    Remark: Our version is the algorithm of GG without doing range proofs in MtA (cf. (Section 3, GG

    CCLST: (Replace Lagrange interpolation with) Birkhoff interpolation .

  • In the beginning of signer, we generate different parameters for each participant in the homomorphic encryption scheme. In their protocol, all participants use the same parameters but different key-pairs, which are generated in DKG.
  • All zero-knowledge proofs are non-interactive version (ie This part will be audited soon).

    It is the standard algorithm replacing Lagrange interpolation with Birkhoff interpolation

  • . Usage: Peer: (SelfID) : Return the self ID. (MustSend) : Send message to the specific peer.

  • Before you try to go through a multi-party algorithm, you should create a peer manager instance first. Here is an example for DKG.

  • listener (struct) {} (func) newListener () (listener) { (return & listener {} } (func) ( (l) [string] (listener) ) OnStateChanged ( (oldState)
  • (listener : a function to monitor the state change
    (myDKG) , (err)

    ),  , c.  Params ().  (N) , safeParameter, distributionDistance)  if  err!=(nil)  {      //  (handle error) }  

    To start signing, you should provide some inputs for creating a new Signer instance. signerPeerManager : a peer manager for signer (publicKey : the public key generated from DKG homo : a homomorphic encryption (Paillier of CL) share : the private share from DKG bks : the Birkhoff parameter of all participants msg : a message to be signed (listener : a function to monitor the state change

    Note that, threshold

    Refreshing share (reshare) computes new random shares for the same original secret key. Before resharing, here is also some inputs you need to prepare. resharePeerManager : a peer manager for reshare threshold : minimum number of participants required to sign (publicKey : the public key generated from DKG share : the private share from DKG bks : Birkhoff parameters from all participants (listener : a function to monitor the state change

    Note that, reshare process requires all peers to participate.

    myReshare, err=reshare. NewReshare (resharePeerManager, threshold, publicKey, share, bks , listener) if err!=(nil) {      // (handle error) } myReshare. (Start) () // send out commit message ... myReshare. (Stop) () (signerResult , (err) := myReshare.
     GetResult  ()  if  err!=(nil)  {      //  (handle error) }  

    After resharing, all the participants should get their new shares. For more usage, please check tss / integration / tee_test .go


    Standard threshold signature:

    There are three people co-founding a small store. Many goods come in and out every day. To increase efficiency, they agree that if any two of them confirms a transaction, the transaction should be valid. In this case, they could utilize threshold signature.

    In DKG stage, all of them should create a peer manager specifying number of peers to be (2) . And all of them should have the same value of rank to be

    (0) . Then in signing stage, any two of them could generate a valid signature. Ranks: (0, 0, 0) Threshold: 2 DKG:

    (curve) :=(btcec.) (S) () ) (id) := " (myID) (peerNum) :=(uint)
    (2) threshold :=(uint)
    (2) (rank :=(uint)
    (0) ) //
     each co-founder  dkgPeerManager  :=(newDKGPeerManager)  (id, peerNum, dkgs)  myDKG , (_) := dkg.  (NewDKG) (curve , dkgPeerManager, threshold, rank, listener)     Signing:   
    (msg) := (byte) {{(1) , (2) , (3) } (peerNum) :=(uint)
    (1) (homo) , (_) := paillier.
     NewPaillier  ( 

    // (get result from DKG result , (_) := myDKG. GetResult () // (any two of co-founders) signerPeerManager :=(newSignerPeerManager) (id, peerNum, signers) (mySigner) , (_) :=(signer.) (NewSigner) (signerPeerManager , result. (PublicKey) , homo, result. (Share) , result. (Bks) [id], peerBks, msg, listener) Hierarchical threshold signature:

    (1) but the director should have the (rank) value to be (0) (smaller the value, higher the rank). In signing stage, any two of employees along with the director could generate a valid signature. If three employees without the director try to sign a message, the signing process will return an error. Ranks: (0, 1, 1, 1) Threshold: 3


    // (S) (for example (curve) :=(btcec.) (S) () ) (id) := " (myID) (peerNum) :=(uint)

    (3) threshold :=(uint)

    (3) employeeRank :=(uint)

    (1) ) directorRank :=(uint)

    (0) ) // (each employee dkgPeerManager :=(newDKGPeerManager) (id, peerNum, dkgs) employeeDKG , (_) := dkg. (NewDKG) (curve , dkgPeerManager, threshold, employeeRank, listener) // (the director) directorDKG , (_) := dkg. (NewDKG) (curve , dkgPeerManager, threshold, directorRank, listener)
    (msg) := (byte) {{(1) , (2) , (3) } (peerNum) :=(uint)

    (3) (homo) , (_) := paillier.

     NewPaillier  ( 

    // get result from DKG (for employee) result , (_) := employeeDKG.

     GetResult  ()  //  get result from DKG (for director)  result , (_) := directorDKG. 
     GetResult  ()   //  two of employees and the director  signerPeerManager  :=(newSignerPeerManager)  (id, peerNum, signers) mySigner, err=signer.  NewSigner (signerPeerManager, result.  (PublicKey) , homo, result.  (Share) , result.  (Bks)  [id], peerBks, msg, listener)  

    , 64732, 1), (, , 2)
  • Public Key: G) (Appexdix ) curve: (S)

    (Ran samples

  • (Section 3.1) ) Section 3.1
  • curve: (S)
  • (Ran samples Appendix:

    Security levels of two homomorphic schemes:

    The Table below is referenced by Improved Efficiency of a Linearly Homomorphic Cryptosystem

    Useful Cryptography Libraries in this Repository: Castagnos and Laguillaumie homomorphic Scheme

    P aillier homomorphic cryptosystem References: (Bandwidth-efficient threshold EC-DSA) Hierarchical Threshold Secret Sharing Dynamic and Verifiable Hierarchical Secret Sharing Linearly Homomorphic Encryption from DDH Improved Efficiency of a Linearly Homomorphic Cryptosystem A Course in Computational Algebraic Number Theory (Graduate Texts in Mathematics) Maxwell Sayles: binary quadratic form (Binance-tss )   
    Read More