🔑 Threshold Signatures Threshold Signatures
One private key is split into pieces called shares, handed to different parties. A set number of them (the threshold) must work together to sign a transaction, yet no one ever holds the whole key.
🧩 The simple version — a key nobody fully holds
A normal crypto wallet has one private key. Whoever holds that key controls the money — which means a stolen phone or a hacked server can hand everything to an attacker. A threshold signature scheme (TSS) fixes this by splitting the key into shares and giving them to different parties. To sign, a set number of those parties must cooperate. The whole key is never gathered in one place — not when it's created, not when it's used, not when it's stored.
🔢 What "t-of-n" means
TSS is described as t-of-n: n parties each hold a share, and any t of them must collaborate to sign. A common setup is 2-of-3 — three shareholders exist, and any two of them together can approve a transaction.
| Setup | What it means |
|---|---|
| 🔐 2-of-2 | Two shares, both needed. A common phone-plus-server model in consumer MPC wallets |
| 🔐 2-of-3 | Three shares, any two sign. Lose one share and you can still recover with the other two |
| 🔐 t-of-n | Set your own threshold — the number needed to sign stays your choice |
🛠️ How the shares work together: MPC
The trick behind TSS is multi-party computation (MPC). Each party independently creates and keeps its own secret share. When it's time to sign, they run a joint computation that produces a valid digital signature — without any party revealing its share and without the full key ever existing in one spot. The result is one ordinary signature with one public key.
⛓️ Why it works on any blockchain
The heavy cryptography happens off-chain. Only a normal single signature lands on the blockchain, which looks identical to a regular wallet's. Because of that, TSS is blockchain-agnostic — it works on any chain that supports ordinary signatures, like Bitcoin or Ethereum, with no special smart contract needed.
🆚 Threshold signatures vs on-chain multisig
| 🔑 Threshold signature (TSS) | 📝 Multisig | |
|---|---|---|
| On-chain look | One key, one signature — like a normal wallet | Several keys and signatures, all visible |
| Where approval logic lives | In cryptography, off-chain | In a smart contract / script, on-chain |
| Privacy | The approval structure is hidden | Anyone can see who must approve |
| Fees | Often lower (just one signature) | Can be higher (more on-chain data) |
📱 Where a beginner meets it
You'll usually run into TSS as the security model behind MPC wallets and seedless wallets — apps that protect you without a single seed phrase that could be stolen all at once. ZenGo, for example, splits the key 2-of-2 between your phone and its server. The same technology secures custody at large exchanges and providers like Coinbase, Binance, BitGo, and Fireblocks.
🚨 Things beginners should know
- 🚫 Not the same as multisig — they solve a similar problem, but TSS hides the structure on-chain while multisig shows it
- 🛡️ Not unhackable — it removes one big weak spot, but the math must be implemented correctly; flaws have been found in TSS libraries before
- 🤝 Trust the provider — with a consumer MPC wallet you're trusting that the company built and runs the scheme properly
- 💾 Know your recovery — understand how to recover if one share or device is lost before you put real money in
❓ FAQ
- Are threshold signatures the same as multisig?
- No. A multisig wallet has several separate public keys and several signatures, all visible on-chain, so anyone can see it's a multi-party wallet. A threshold signature produces one public key and one signature built from secret shares, so on-chain it looks like an ordinary single-signer wallet. The 'who must approve' logic lives in cryptography off-chain, not in a smart contract.
- Where is the full private key kept?
- Nowhere. With multi-party computation (MPC), each party generates and keeps only its own share. The complete private key is never assembled in one place — not during setup, signing, or storage. That's what removes the single point of failure.
- Does this mean my wallet can't be hacked?
- No. Threshold signatures remove one big weak spot — stealing a single device or server no longer hands over the whole key. But the math has to be implemented correctly. Real flaws have been found in threshold-signature libraries before, so the security depends on the provider doing it right.