Basic secret sharing requires reconstructing the key to use it. Threshold signatures avoid this. Why is never assembling the key a critical security improvement?
Think about your answer, then reveal below.
Model answer: If the key is reconstructed in any single location — even temporarily — that location becomes a single point of compromise. An attacker who compromises the reconstructing party during the brief window of reconstruction obtains the full key. Threshold signing computes partial signatures on shares, which are combined into a full signature without any party ever seeing the full key. The key exists only as shares distributed across multiple parties, so no single compromise reveals it.
This is the fundamental difference between secret sharing (storage protection) and threshold cryptography (computation protection). Secret sharing protects the key at rest; threshold cryptography protects it during use. A banking analogy: secret sharing is like splitting a vault combination among three people — they must gather and enter it together. Threshold signing is like a vault that opens only when three people simultaneously turn their individual keys, without any of them learning the others' keys.
Question 2 Multiple Choice
Distributed Key Generation (DKG) allows n parties to jointly generate a shared key without any trusted dealer. Why is this important?
ADKG produces stronger keys than a single dealer could
BWith a trusted dealer, the dealer knows the full key during generation — they are a single point of trust and failure. DKG uses each party as a simultaneous dealer (each sharing a random value via VSS) and combines the shares additively. The result is a shared key that no individual party — including any dealer — ever knew. This eliminates the trusted setup problem
CDKG is faster than centralized key generation
DRegulatory requirements mandate DKG for financial applications
DKG typically uses Pedersen's DKG protocol: each party i picks a random secret s_i and shares it among all parties via VSS. The combined secret s = s_1 + s_2 + ... + s_n is the final key. No party knows s because each party only knows their own s_i. Each party's share of s is the sum of shares they received from all other parties. This is secure as long as fewer than t parties are corrupted — the corrupt parties collectively know their own s_i values but not the honest parties'.
Question 3 Multiple Choice
Proactive secret sharing periodically refreshes shares without changing the underlying secret. Why is this useful against a mobile adversary who gradually compromises different parties over time?
ARefreshing changes the secret, so old compromised shares become useless
BWithout proactive refresh, an adversary who compromises t parties at ANY point over the system's lifetime (even different parties at different times) obtains t shares and can reconstruct the secret. Proactive refresh generates new shares of the same secret in each epoch. Shares from different epochs are algebraically incompatible — mixing old and new shares yields nothing. The adversary must compromise t parties within a single epoch to succeed
CRefreshing makes the shares smaller, improving performance
DProactive refresh protects against quantum attacks
The mobile adversary model is realistic: over months or years, different machines may be compromised, patched, and compromised again. Without proactive refresh, the adversary accumulates shares from each compromise. Proactive secret sharing ensures that shares from different epochs are useless together — each epoch uses a fresh random polynomial with the same constant term (secret). The adversary's window of attack is bounded to a single epoch, regardless of the system's total lifetime.
Question 4 True / False
Threshold ECDSA is more complex than threshold Schnorr signatures because ECDSA's signing equation involves a multiplicative inverse of the nonce, which is hard to compute distributedly on secret shares.
TTrue
FFalse
Answer: True
Schnorr signatures are naturally threshold-friendly: the signing equation is s = k + ex (linear in the secret key x and nonce k), so partial signatures on shares combine additively. ECDSA's signing equation is s = k^{-1}(H(m) + rx) — the inverse of k and the product kx require multi-party multiplication and inversion protocols, which are expensive. This is why threshold ECDSA took decades longer to develop efficiently than threshold Schnorr, and why the shift toward Schnorr-based signatures (Ed25519, BIP-340) in modern systems partly reflects the desire for threshold-friendliness.
Question 5 Short Answer
A cryptocurrency exchange uses (3,5) threshold ECDSA to protect its hot wallet key. An attacker compromises 2 of the 5 key servers. What can the attacker do?
Think about your answer, then reveal below.
Model answer: With 2 of 5 shares (below the threshold of 3), the attacker learns nothing about the signing key and cannot produce any valid signature — even a partial one that could be useful later. The exchange can still sign transactions using any 3 of the remaining 3 uncorrupted servers (the scheme is fault-tolerant). The exchange should then run a proactive refresh to invalidate the compromised shares, preventing the attacker from accumulating shares over time toward the threshold.
The (3,5) design provides both security (tolerates 2 compromises) and availability (tolerates 2 failures). The exchange can lose or quarantine the compromised servers and continue operating with the remaining 3. Proactive refresh is the recommended response to partial compromise — it generates new shares incompatible with the old ones, resetting the adversary's progress.