Lux Docs
Lux Skills Reference

Lux Threshold - Universal Multi-Chain Threshold Signatures

Documentation for Lux Threshold - Universal Multi-Chain Threshold Signatures

Overview

Lux Threshold is a production-ready threshold signature library supporting 20+ blockchains with post-quantum security. Written in Go, forked from taurusgroup/multi-party-sig. It provides the cryptographic core for luxfi/mpc and other signing services.

Quick reference

ItemValue
Modulegithub.com/luxfi/threshold
Go1.26.1
Binarythreshold-cli
Default Branchmain
LicenseApache 2.0
OriginFork of taurusgroup/multi-party-sig

Hard requirements

  1. ALWAYS use github.com/luxfi/* packages -- NEVER go-ethereum or luxfi
  2. NEVER use JSON for FROST/LSS configs -- crypto types lack JSON marshalers, use CBOR
  3. Use constant-time arithmetic via cronokirby/saferith -- no timing side-channels

Protocols

ProtocolAlgorithmRoundsSigningFeatures
CMPECDSA4 sign, 7 presign~15msIdentifiable aborts
FROSTSchnorr/EdDSA2~8msBIP-340 Taproot compatible
LSSECDSAVariable~35ms reshareDynamic resharing, fault tolerance
Doerner2-of-2 ECDSA2-party~5msConstant-time optimized
BLSBLS12-381Aggregate-Aggregate signatures
RingtailLatticeVariable-Post-quantum (128/192/256-bit)
TFHEFHE--Threshold FHE operations
QuasarConsensus--Consensus-specific signatures

Architecture

threshold/
├── cmd/threshold-cli/     # CLI tool
├── internal/              # Private implementation
│   ├── bip32/            # BIP-32 key derivation
│   ├── elgamal/          # ElGamal encryption
│   ├── mta/              # Multiplicative-to-Additive conversion
│   ├── ot/               # Oblivious transfer (Extended OT)
│   ├── params/           # Security parameters
│   ├── round/            # Round-based protocol framework
│   ├── test/             # Test infrastructure
│   └── types/            # Internal type definitions
├── pkg/                   # Public API
│   ├── ecdsa/            # ECDSA signature types
│   ├── hash/             # BLAKE3-based hashing
│   ├── math/             # Cryptographic arithmetic (curve, polynomial, sample)
│   ├── paillier/         # Paillier homomorphic encryption
│   ├── party/            # Party identification
│   ├── pedersen/         # Pedersen commitments
│   ├── pool/             # Thread pool for parallelization
│   ├── protocol/         # Protocol handler framework
│   ├── taproot/          # BIP-340/341 Taproot support
│   └── zk/               # 17 zero-knowledge proof systems
├── protocols/             # Protocol implementations
│   ├── adapters/         # Chain-specific adapters
│   ├── bls/              # BLS aggregate signatures
│   ├── cmp/              # CMP ECDSA (CGGMP21)
│   ├── doerner/          # 2-of-2 optimized ECDSA
│   ├── example/          # Example protocol usage
│   ├── frost/            # FROST Schnorr/EdDSA
│   ├── lss/              # LSS dynamic resharing
│   ├── quasar/           # Quasar consensus signatures
│   ├── ringtail/         # Post-quantum lattice-based
│   └── tfhe/             # Threshold FHE
└── docs/                  # Documentation

One-file quickstart

Installation

go get github.com/luxfi/threshold@v1.5.5

Basic usage

    "github.com/luxfi/threshold/protocols/cmp"
    "github.com/luxfi/threshold/protocols/adapters"
)

// Generate threshold keys
configs := cmp.Keygen(curve.Secp256k1{}, selfID, parties, threshold, pool)

// Create chain adapter
factory := &adapters.AdapterFactory{}
adapter := factory.NewAdapter("ethereum", adapters.SignatureECDSA)

// Sign transaction
digest, _ := adapter.Digest(transaction)
signature := cmp.Sign(config, signers, digest, pool)
encoded, _ := adapter.Encode(signature)

Dynamic resharing (LSS)

// Add new parties without reconstructing keys
newConfigs := lss.Reshare(oldConfigs, newParties, newThreshold, pool)

// Emergency rollback
manager := lss.NewRollbackManager(maxGenerations)
restoredConfig, _ := manager.Rollback(targetGeneration)

Post-quantum signatures (Ringtail)

pqAdapter := adapters.NewRingtailAdapter(256, numParties) // 256-bit PQ security
preprocessing := pqAdapter.GeneratePreprocessing(parties, threshold, 100)
pqSignature := pqAdapter.Sign(message, shares, preprocessing)

Key Dependencies

github.com/luxfi/crypto@v1.17.28       -- ECDSA, EdDSA, BLS curves
github.com/luxfi/fhe@v1.7.6            -- FHE primitives for TFHE protocol
github.com/luxfi/lattice/v7@v7.0.0     -- Lattice ops for Ringtail (PQ)
github.com/luxfi/ringtail@v0.2.0       -- Post-quantum threshold signatures
github.com/luxfi/log@v1.4.1            -- Structured logging
github.com/cronokirby/saferith@v0.33.0 -- Constant-time big integer arithmetic
github.com/zeebo/blake3@v0.2.4         -- BLAKE3 hashing
github.com/fxamacker/cbor/v2@v2.9.0    -- CBOR binary serialization
github.com/cloudflare/circl@v1.6.3     -- BLS12-381 curve operations

Security Parameters

Defined in internal/params/params.go:

ParameterValuePurpose
SecParam256Security parameter (bits)
OTParam128Oblivious transfer security
StatParam80Statistical security
ZKModIterations128Paillier-Blum validation (increased from 12)
BitsBlumPrime1024Blum prime bit length
BitsPaillier2048Paillier modulus bit length

Blockchain Support

Tier 1 -- Full Native Support

ChainSignatureStatus
XRPLECDSA/EdDSAProduction
EthereumECDSAProduction
BitcoinECDSA/SchnorrProduction
SolanaEdDSAProduction
TONEdDSAProduction
CardanoEdDSA/ECDSA/SchnorrProduction

Tier 2 -- Ready for Integration

Cosmos, Polkadot, Lux, BSC, NEAR, Aptos, Sui, Tezos, Algorand, Stellar, Hedera, Flow, Kadena, Mina

Performance

Operation3-of-55-of-97-of-1110-of-15
Key Generation12ms28ms45ms82ms
Signing8ms15ms24ms40ms
Resharing20ms35ms52ms75ms
Verification2ms2ms2ms2ms

Naming Conventions (vs Upstream)

This fork uses different field naming from taurusgroup/multi-party-sig:

  • Delta (public) instead of _Delta (private)
  • _KDelta instead of _K_Delta

When merging upstream, adapt their code to Lux conventions.

Testing

# All tests
go test ./... -timeout 120s

# Protocol-specific
go test ./protocols/cmp/... -timeout 120s
go test ./protocols/frost/... -timeout 120s
go test ./protocols/lss/... -timeout 120s
go test ./internal/ot/... -timeout 120s

# With race detection
go test -race ./... -timeout 180s

# Benchmarks
go test -bench=. ./...

Test Coverage

PackageCoverage
protocols/lss100%
protocols/cmp75%
protocols/frost100%
protocols/doerner100%
protocols/adapters100%

Adding a New Chain Adapter

  1. Add chain constant in protocols/adapters/ or protocols/lss/adapters/evm.go
  2. Add config in GetChainConfig()
  3. Update protocols/lss/factory.go with chain info
  4. Add to SupportedChains() list
  5. Update tests in full_coverage_test.go

Troubleshooting

IssueCauseSolution
FROST config corruptionJSON marshal of crypto typesUse CBOR via MarshalFROSTConfig()
LSS config corruptionSame as FROSTUse CBOR via MarshalLSSConfig()
Timing attack riskNon-constant-time mathUse saferith for all big int ops
Flaky testTestHandler_WaitForResultTimeoutKnown flaky, unrelated to core
Import errorsUsing go-ethereum typesSwitch to luxfi/crypto types
  • lux/lux-mpc.md -- MPC wallet service that uses this library
  • lux/lux-hsm.md -- HSM-backed key share storage
  • lux/lux-crypto.md -- Underlying cryptographic primitives
  • lux/lux-lattice.md -- Lattice crypto used by Ringtail protocol

Lux KMS

Documentation for Lux KMS

Lux Teleport - Zero-Knowledge MPC Cross-Chain Bridge

Documentation for Lux Teleport - Zero-Knowledge MPC Cross-Chain Bridge

On this page

OverviewQuick referenceHard requirementsProtocolsArchitectureOne-file quickstartInstallationBasic usageDynamic resharing (LSS)Post-quantum signatures (Ringtail)Key DependenciesSecurity ParametersBlockchain SupportTier 1 -- Full Native SupportTier 2 -- Ready for IntegrationPerformanceNaming Conventions (vs Upstream)TestingTest CoverageAdding a New Chain AdapterTroubleshootingRelated Skills