Binance Open-Sources Threshold Signature Scheme Library

2019-11-06

Binance continues to contribute to open-source blockchain development, improving the security of funds and information for BNB Chain, Bitcoin networks and more.

The blockchain industry is growing at a fast pace in large part due to contributions from the open-source community. Binance’s belief in innovation stems from our deep commitment to the long-term growth of the blockchain industry and building core infrastructure services for organizing the world’s crypto. This includes the work Binance has contributed, together with the community, to the BNB Chain blockchain software system. 

Today, we’re taking Binance’s commitment to open source to the next level. We are excited to announce the open-source implementation of a Threshold Signature Scheme (TSS)  library for Elliptic Curve Digital Signature Algorithm (ECDSA), which will enable wallet providers and custodians to avoid single points of failure in private keys with distributed key management.

Many development resources have been poured into implementing TSS, a cryptographic protocol for distributed key generation and signing. TSS is now compatible and reusable for ECDSA-based blockchains, including BNB Chain, Bitcoin, and Ethereum networks. We expect that members of the Binance ecosystem and partner community can integrate this TSS library with their applications, such as wallets and custodians, and further develop this exciting new technology.

With the support of the BNB Chain community, we are happy to share the open-source code at https://github.com/binance-chain/tss-lib.

Threshold Signature Scheme (TSS)

Threshold Signature Scheme (TSS) allows users to define a flexible threshold policy. TSS technology allows us to replace all signing commands with distributed computations so that the private key is no longer a single point of failure. For example, each of three users could receive a share of the private signing key, and in order to sign a transaction, at least two of the three users will need to join to construct the signature.

For individuals, threshold signatures allow for splitting the ability to sign between more than two devices so that a single compromised device won’t put assets at risk. For business operators, threshold signatures allow for the realization of access control policies that prevent both insiders and outsiders from stealing corporate funds. 

TSS uses cryptography off-chain, unlike traditional Multisig (multi-signature) which happens on-chain, often consuming more resources and causing a number of signers to be exposed in the blockchains and become potential attack surfaces. (Learn more about Threshold Signatures Explained on Binance Academy.)

Key Features of the Binance TSS Solution:

  • High Security: Implementing TSS is more secure, as multiple private key shares are distributed to different parties and private keys will not even be reconstructed during the signing of any transaction (e.g. withdrawing assets).

  • Fast Setup and Signing: TSS is more efficient to use than other key management systems, such as Multisig, as it only has one signature on the blockchain instead of multiple. 

  • Recovery Protection Guarantee: With TSS, you can easily recover your private keys in special cases through the re-sharing process, i.e., regenerating private key shares.

Security First

Security has always been the top priority for Binance. As part of our commitment to the security of user funds and information, the development of TSS opens a new dimension to raise the security level for better use of BNB Chain/DEX and wallet management across different blockchains.

Security Audit

We invited Kudelski Security, an independent third-party auditor recognized as a leading player in the cybersecurity industry, to audit the security of the cryptography and code in the Binance TSS library. As the TSS library “is a library meant to be reused by other developers,”  the audit summary highlights that the strictest audit criteria was enforced.

Based on the security audit, “none of the issues found in the frame of this audit could be exploited” to “completely break the security of the scheme, or recover secret data.” Furthermore, all security issues identified in document reports have already been patched. All changes to adequately address the shortcomings reported have been reviewed by Kudelski Security and a detailed report on the TSS library can be found here.

Security checks are routinely and continuously planned for all parts of TSS implementations and future audits will be publicly reported and made available to the BNB Chain community.

How to Use TSS on BNB Chain

The TSS library is already integrated with the BNB Chain blockchain. Download the BNB Chain TSS CLI to manage your private keys in a more secure fashion. 

Steps to Complete a TSS Signing Process Include:

  1. Vault Initialization: This will initialize the parties involved and set up end-to-end encrypted communication channels. Let’s say there are 3 parties involved in this example. 

  2. Key Generation: If the quorum policy is defined to share the secrets of the private key to 2 out of 3 TSS signers, then the private key shares will be shared with 3 parties and any 2 of 3 parties can sign the transactions. 

  3. Signing: A digital signature will be generated from the three parties involved and their shares of the secret.

  4. Vault Regroup: If any parties lose their keys or leave the team, new secret shares will be generated for each of the new parties.

The full TSS in BNB Chain User Guide can be found here: https://docs.binance.org/tss.html

Future Plans

Our work with TSS is not done. We plan to continue to extend this project in the future and work with the BNB Chain community to provide TSS support for more advanced use cases. In the long term, we want to work together with the community to build a healthy and sustainable open-source ecosystem on cryptography to foster and grow not only BNB Chain Community, but also the global blockchain and cryptocurrency community.Â