In one of my previous roles, I was part of a cryptography team responsible for implementing threshold signatures for ECDSA. This work is particularly important for many blockchains—like Bitcoin and Ethereum—that use ECDSA, which unfortunately doesn’t natively support multi-signature or threshold signature schemes.

While Bitcoin has recently adopted Schnorr signatures (which do support native multisignatures, and it is very simple, which I really like), ECDSA remains dominant in the ecosystem. For threshold ECDSA, one of the most efficient and well-designed protocols to date is CGGMP.

The protocol is detailed in the paper “UC Non-Interactive, Proactive, Threshold ECDSA with Identifiable Aborts.” The acronym CGGMP comes from the initials of the authors’ last names: Ran Canetti, Rosario Gennaro, Steven Goldfeder, Nikolaos Makriyannis, and Udi Peled.

In a threshold signature scheme, a private key is split into $n$ shares distributed among participants. Any subset of at least $t$ participants (the threshold) can collaboratively produce a valid signature without ever reconstructing the full key. This eliminates the single point of failure that plagues traditional single-key custody.

CGGMP builds on earlier threshold ECDSA protocols like GG18 and GG20, but introduces several improvements:

  • Non-interactive signing: Earlier protocols required multiple rounds of back-and-forth communication during signing. CGGMP moves the heavy lifting to a pre-signing phase that can be done offline, ahead of time. Once pre-signatures are ready, the actual signing is non-interactive—each party produces their signature share independently.
  • Proactive security: The protocol supports key refresh, meaning shares can be periodically rotated without changing the public key. Even if an attacker compromises some shares over time, they cannot combine old shares with new ones.
  • Identifiable aborts: If a party misbehaves, the honest participants can identify exactly who was at fault. This is critical for real-world accountability.
  • UC security: The protocol is proven secure in the Universal Composability framework, the gold standard for cryptographic proofs, ensuring security even when composed with other protocols.

What sets CGGMP apart is this combination of non-interactive signing and proactive security.

Recently, I came across a new Rust implementation of CGGMP that is open-source. It’s exciting to see the community making this cutting-edge cryptography more accessible, and I highly recommend checking it out if you’re working on threshold signing for ECDSA.