MPC Threshold Signing — Visual Guide

1

Each Friend Picks Their Secret

Each party independently generates a random polynomial f(x) = a0 + a1·x.
Degree = threshold−1 = 1. The constant term a0 is their secret contribution to the group key.

Alice (#1)

secret a0_A — secret contribution
secret a1_A — random blinding

f_A(x) = a0_A + a1_A·x

Bob (#2)

secret a0_B
secret a1_B

f_B(x) = a0_B + a1_B·x

Carol (#3)

secret a0_C
secret a1_C

f_C(x) = a0_C + a1_C·x

Nothing is shared yet. Each polynomial lives only on one machine. Files: alice/secrets.json, bob/secrets.json, carol/secrets.json

2

Post Commitments to the Public Board

Each party multiplies their secret coefficients by the generator point G to create commitments. These go on the public board — everyone sees them, but can't reverse-engineer the secrets (discrete log problem).

Alice

C0_A = a0_A · G C1_A = a1_A · G

secret a0_A, a1_A (kept)
public C0_A, C1_A (posted)

Bob

C0_B = a0_B · G C1_B = a1_B · G

secret a0_B, a1_B
public C0_B, C1_B

Carol

C0_C = a0_C · G C1_C = a1_C · G

secret a0_C, a1_C
public C0_C, C1_C

⬇ all commitments flow down ⬇

📢 Public Board

step2_alice_commit.json — {C0_A, C1_A} (elliptic curve points)
step2_bob_commit.json — {C0_B, C1_B}
step2_carol_commit.json — {C0_C, C1_C}

Key idea: C0 = a0·G locks in the secret without revealing it. Later, anyone can verify shares against these commitments.

3

Whisper Secret Shares (Private Mail)

Each party evaluates their polynomial at the other parties' indices and sends the result as a secret share via encrypted private mail. Only the recipient can read it.

Alice

f_A(2) → Bob f_A(3) → Carol

Bob

f_B(1) → Alice f_B(3) → Carol

Carol

f_C(1) → Alice f_C(2) → Bob

📬 Private Mail (encrypted, point-to-point)

alice_to_bob.json — f_A(2) = a0_A + a1_A·2 only bob reads
alice_to_carol.json — f_A(3) = a0_A + a1_A·3 only carol reads
bob_to_alice.json — f_B(1) only alice reads
bob_to_carol.json — f_B(3) only carol reads
carol_to_alice.json — f_C(1) only alice reads
carol_to_bob.json — f_C(2) only bob reads

Each share is a single scalar (big number). The polynomial evaluation at index i gives that party their piece of the puzzle. Nobody sees anyone else's mail.

4

Verify Shares & Discover the Group Key

Each party: (1) verifies received shares using Feldman VSS, (2) combines all shares into their final key share, (3) everyone computes the same group public key.

Alice verifies & combines

Verify: f_B(1)·G == C0_B + 1·C1_B ? ✅ f_C(1)·G == C0_C + 1·C1_C ? ✅ Combine: x_A = f_A(1) + f_B(1) + f_C(1)

secret x_A — final key share

Bob verifies & combines

Verify: f_A(2)·G == C0_A + 2·C1_A ? ✅ f_C(2)·G == C0_C + 2·C1_C ? ✅ Combine: x_B = f_A(2) + f_B(2) + f_C(2)

secret x_B — final key share

Carol verifies & combines

Verify: f_A(3)·G == C0_A + 3·C1_A ? ✅ f_C(3)·G == C0_C + 3·C1_C ? ✅ Combine: x_C = f_A(3) + f_B(3) + f_C(3)

secret x_C — final key share

⬇ everyone computes the same public key ⬇

🔐 Group Public Key

PK = C0_A + C0_B + C0_C = (a0_A + a0_B + a0_C) · G = x · G Ethereum address = last 20 bytes of keccak256(PK) The full private key x = a0_A + a0_B + a0_C ← NOBODY computes this!

group_key.json — {public_key, ethereum_address} public

Feldman verification: share·G should equal C0 + index·C1. This catches cheaters without revealing the secret polynomial. If anyone lies about their shares, the check fails and we abort.

5

Alice & Bob Pick Signing Nonces

Only 2-of-3 needed! Alice and Bob cooperate while Carol is offline. Each picks a random nonce (one-time secret) and publishes the corresponding curve point.

Alice (signing)

secret k_A — random nonce
public R_A = k_A·G

Bob (signing)

secret k_B — random nonce
public R_B = k_B·G

Carol (offline)

Not needed for 2-of-3

⬇

📢 Public Board

signing_message.json — "Send 1 ETH to 0xd00d" + hash
step5_alice_nonce.json — R_A point (x, y)
step5_bob_nonce.json — R_B point (x, y)

6

Compute Partial Signatures

Each signer uses their private nonce, private key share, and the public challenge to compute a partial signature. The math is Schnorr-style.

Both signers compute (from public data): R = R_A + R_B (combined nonce point) e = keccak256(R || message) (challenge hash)

Alice's partial sig

λ_A = Lagrange({1,2}, i=1) = 2 s_A = k_A - e · λ_A · x_A mod N ↑secret ↑secret

public s_A (partial signature)

Bob's partial sig

λ_B = Lagrange({1,2}, i=2) = -1 s_B = k_B - e · λ_B · x_B mod N ↑secret ↑secret

public s_B (partial signature)

⬇

📢 Public Board

step6_alice_partial.json — s_A value
step6_bob_partial.json — s_B value
step6_challenge.json — R point + e value

Lagrange coefficients adjust each party's key share for the specific subset signing. For parties {1,2}: λ₁ = 2/(2-1) = 2 and λ₂ = 1/(1-2) = -1. These ensure λ_A·x_A + λ_B·x_B = x (the full private key), even though nobody computes x directly.

7

Combine Partial Signatures

Anyone (even Carol, even a stranger!) can combine the partial signatures. No secrets needed — just addition on the public board.

s = s_A + s_B mod N Expanding: s = (k_A - e·λ_A·x_A) + (k_B - e·λ_B·x_B) = (k_A + k_B) - e·(λ_A·x_A + λ_B·x_B) = k - e·x That's a standard Schnorr signature! 🎉 k = combined nonce, x = full private key

⬇

✨ Final Signature

signature = (R, s) R = (x-coord, y-coord) ← combined nonce point s = scalar value ← combined partial sigs

final_signature.json
signature_details.json

The combined signature is indistinguishable from a single-signer Schnorr signature. The MPC protocol is completely invisible in the output.

8

Anyone Can Verify

Standard Schnorr verification. No MPC knowledge required. The verifier just checks one equation.

Schnorr verification equation: s·G + e·PK =? R Proof that this works: s·G = (k - e·x)·G = k·G - e·x·G = R - e·PK Therefore: s·G + e·PK = R ✅

✅ SIGNATURE VALID

The blockchain sees a normal signature from one Ethereum address.
No idea that 2 people made it together, or that a 3rd person exists.

All Variables by Visibility

📢 PUBLIC (anyone can see)

Variable	What it is	Step
C0_i, C1_i	Commitment points (a0·G, a1·G)	2
PK	Group public key = ∑C0_i	4
ETH addr	keccak256(PK)[12:]	4
R_A, R_B	Nonce points (k_i·G)	5
R	Combined nonce R_A+R_B	6
e	Challenge hash(R \|\| msg)	6
λ_A, λ_B	Lagrange coefficients	6
s_A, s_B	Partial signatures	6
s	Combined signature	7

🔒 PRIVATE (only owner knows)

Variable	Who	What it is
a0_A, a1_A	Alice	Polynomial coefficients
a0_B, a1_B	Bob	Polynomial coefficients
a0_C, a1_C	Carol	Polynomial coefficients
f_i(j)	Receiver j	Share from party i
x_A	Alice	Final key share
x_B	Bob	Final key share
x_C	Carol	Final key share
k_A	Alice	Signing nonce
k_B	Bob	Signing nonce
x	NOBODY	Full private key

File System Layout

playground/ ├── alice/ │ └── secrets.json private a0, a1, key_share, nonce ├── bob/ │ └── secrets.json private a0, a1, key_share, nonce ├── carol/ │ └── secrets.json private a0, a1, key_share ├── public_board/ │ ├── step2_*_commit.json public commitment points │ ├── group_key.json public group pubkey + ETH address │ ├── signing_message.json public message + hash │ ├── step5_*_nonce.json public nonce points │ ├── step6_*_partial.json public partial signatures │ ├── step6_challenge.json public R point + challenge e │ └── final_signature.json public combined (R, s) └── private_mail/ ├── alice_to_bob.json secret f_A(2) — only Bob reads ├── alice_to_carol.json secret f_A(3) — only Carol reads ├── bob_to_alice.json secret f_B(1) — only Alice reads ├── bob_to_carol.json secret f_B(3) — only Carol reads ├── carol_to_alice.json secret f_C(1) — only Alice reads └── carol_to_bob.json secret f_C(2) — only Bob reads

The Big Picture