// GLOSSARY -- SECURITY & COMPLIANCE

What is a Threshold Signature Scheme?

1 min read Updated

A threshold signature scheme (TSS) is a cryptographic protocol where a signing key is split into n shares, and any t (threshold) of those shares can collaboratively produce a valid digital signature — without reconstructing the full key.

WHY IT MATTERS

TSS is the cryptographic foundation of MPC wallets. In a 2-of-3 TSS, the key is split into 3 shares. Any 2 shares can produce a valid signature through an interactive protocol. No single share holder can sign alone, and the complete key is never assembled in one place.

The mathematics behind TSS (often based on Shamir's Secret Sharing and distributed key generation protocols) ensure that even colluding parties below the threshold learn nothing about the key. This provides information-theoretic security for the key material.

TSS produces a standard signature that's indistinguishable from a regular one — unlike multisig, which requires a specialized on-chain contract. This makes TSS compatible with any blockchain and any account type.

HOW POLICYLAYER USES THIS

PolicyLayer can function as a threshold condition in the signing process. Before the TSS signing ceremony completes, PolicyLayer validates the transaction against policies — adding a policy check to the threshold signature flow.

FREQUENTLY ASKED QUESTIONS

How is TSS related to MPC?
TSS is a specific application of MPC (Multi-Party Computation) for digital signatures. MPC is the broader field of secure computation among multiple parties. TSS uses MPC techniques specifically for distributed signing.
What threshold should I use?
Common choices: 2-of-3 (minimum redundancy with security), 3-of-5 (more resilient), or 2-of-2 (no redundancy but prevents single-party signing). The right choice depends on your security model and operational requirements.
Can TSS shares be rotated?
Yes. Key refresh protocols allow generating new shares for the same underlying key — useful if you suspect a share was compromised. The new shares are incompatible with old shares, neutralizing the compromised one.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.