5 Great Reasons To Choose Threshold Signatures Over MultiSig
Until the fall of 2018, the most widely accepted scheme for secure multiparty approvals of cryptocurrency transactions was MultiSig. Then SBI Holdings, a leading financial services provider in Japan, selected Threshold Signatures as the preferred wallet security scheme for their custody service, over MultiSig. Approximately one year later, the CEO of Binance tweeted that Threshold Signatures are “far superior” to MultiSig, saying they would “reshape the landscape for wallets and custodian services.” Today, approximately twenty different providers have announced availability or their plans to offer Threshold Signature wallets or licensable technology. Let’s examine 5 great reasons to select Threshold Signature wallets over MultiSig.
Both are cryptographic approaches to address the single biggest risk with cryptocurrency: that anyone with access to the wallet private key can steal the associated digital assets, and the transaction is not reversible. The difference between the two technologies is primarily the approach in mitigating this single point of failure, and more importantly the resulting implications of that approach. Let’s review:
Reason # 1: Single Signature versus Multiple Signatures
Implication: Universal interoperability versus custom integration
Threshold Signatures appear on-chain as a standard single signature (typically an ECDSA or EdDSA signature). Presumably, every blockchain and digital asset protocol natively supports a standard single signature, so no special coding or smart contracts are required for multiparty approvals with Threshold Signatures. In contrast, MultiSig requires the ability for each digital asset protocol to record a variable number of multiple signatures. BTC natively supports this capability for basic MultiSig, but most other digital assets do not. This results in the requirement for many MultiSig wallets to support smart contracts or other customizations which introduces the opportunity for new vulnerabilities, added expense, and often delayed support of new digital assets.
Reason # 2: Single Signature versus Multiple Signatures
Implication: Smaller transaction size, lower cost, higher prioritization
Threshold Signatures appear on-chain as a standard single signature regardless of the number of approvers. In contrast, MultiSig requires the recording of signatures for each participating approver. For protocols like Bitcoin, these additional signatures represent a very material percentage of the overall transaction size, thus reducing the number of transactions that can be processed per block. As a result, miners prefer to process single- signature transactions over MultiSig. This can result in processing delays or require higher bids to secure timely processing. In the case of Ethereum, the processing of additional smart contracts required to support MultiSig consumes additional gas. In both cases, the net result is an increase in the mining fees, which results in higher overall transaction fees for MultiSig.
Reason # 3: Single Signature versus Multiple Signatures
Implication: Increased privacy and security
Threshold Signatures appear on-chain as a standard single signature, regardless of the number of approvers. Approvers can be changed, added, or removed, and there is no change in the resulting signature. So potential adversaries have no visibility to the security policy of a particular wallet, the timing of periodic updates, etc. In contrast, MultiSig records the signature of each approver on the public blockchain for successful transactions. The result is, potential adversaries have full knowledge of security policies such as how many parties are approving transactions, and have visibility whenever changes are made. No other security scheme provides such transparency to adversaries because this information can be used to defeat the system.
MultiSig advocates will often state that recording approver signatures on-chain provides greater accountability, with audit trails published in the public domain. They often imply that the lack of such on-chain records with Threshold Signatures is a short-coming. Both of these perspectives are fundamentally flawed. Individual approvals of Threshold Signatures and MultiSig can and should be recorded off-chain for an audit trail, including failed transaction attempts for forensics that MultiSig misses entirely. Doing so provides critical visibility to attempted and failed transactions (due to ineffective attacks or otherwise incomplete transaction approvals) which are not recorded on-chain with MultiSig.
Reason # 4: Key Share Refresh Without Changing Public or Private Keys
Implication: Increased security efficacy, without the burden of transactions
A best practice in key management security is to proactively change private keys on intervals that are frequent enough that a hacker is unlikely to gain access to and use them before a new key is activated. This can be done with MultiSig, but each time you change the private key, or replace a lost key, you must also execute an on-chain transaction to synchronize the public-private keys and accounts. This results in increased transaction fees and complexity that make proactive security impractical with MultiSig.
In contrast, Threshold Signatures use multiparty computation (MPC) to create a private key in the form of distributed key shares that are held by different parties. It’s possible to generate a massive number of different and random combinations of distributed key shares to represent the same private key. As a result, Threshold Signature wallets can proactively refresh the key shares on a recurring, on-demand, or combination basis without changing the private key (and eliminating the requirement for an on-chain transaction as is required with MultiSig). Doing so materially reduces the probability that an adversary could penetrate the defenses of multiple different parties concurrently, and collect enough shares to recreate an entire key and execute a fraudulent transaction. As a result, Threshold Signatures provide the option to be inherently more secure than what is practically achievable with MultiSig.
Reason # 5: Operational Flexibility
Implication: Ability to evolve and adjust to changing requirements
The only constant about the rapidly evolving digital asset market is change. Regulations are changing, customer expectations are changing, the digital assets themselves are expanding to include not only cryptocurrencies but security tokens which could completely redefine the scope and scale of the digital asset market. Regardless of how these things evolve, the nature of digital assets will require secure and increasingly flexible wallets. The off-chain nature of Threshold Signatures makes them profoundly more flexible and adaptable than the on-chain multiparty approval model of MultiSig.
Threshold Signature wallets leverage MPC to support the ability to change not only the key shares as discussed above, but also the security model in many cases without even requiring a change of the wallet or associated address. Threshold Signature wallets can be evolved to support 2 of 2, 2 of 3, 3 of 4, 4 of 8 or virtually any multiparty approval and threshold model which regulators or markets may demand.
Threshold Signature wallets can be implemented where all of the approving parties are on-line (internet-connected) or off-line (air-gapped) or a combination of both. Some Threshold Signature wallets incorporate pre-processing features to enable thousands of transactions per second along with the ability to generate complete signatures in a non-interactive fashion, fully emulating the operation of a MultiSig wallet. These attributes, combined with the universal compatibility of a single signature make them profoundly more flexible and adaptable than any other multiparty transaction approval scheme.
There are of course many other compelling attributes and differentiators of MPC-enabled Threshold Signature wallets, such as the increased robustness of the threshold model which maintain secure operations even if some of the parties become compromised. The five reasons listed above are what I consider to be among the most broadly compelling, but certain use cases will benefit even more from other attributes
Of course, there are reasons why MultiSig is still widely used today. The first is MultiSig still works for mitigating the single point of failure which is common to billions of dollars of stolen digital assets. For companies that have already built their wallets and systems around MultiSig the effort to change to anything else is non-trivial. However, as the digital asset landscape continues to change and evolve, it will become obvious that the ongoing effort and expense associated with maintaining MultiSig far outweighs the one time effort of migrating to Threshold Signatures.
Custodians, exchanges, and institutional investors who are starting with a clean slate will enjoy the competitive advantage provided by going directly to Threshold Signature wallets. The increased security, privacy, flexibility, and lower operational and transactional cost advantages will add to the motivation for incumbent MultiSig solutions to migrate to Threshold Signatures.