We formulate the design of a threshold signature scheme as made possible on cryptocurrency protocols like Bitcoin. The funds are secured by an m-of-n threshold signature, where at least m signatures are needed to unlock the funds. A user designs this scheme knowing that a malicious attacker can also obtain the signatures with some probability. Higher thresholds offer more security, but also risk locking the user out of his own funds. The optimal threshold balances these twin effects. Interventions like increasing the security or usability of the signatures allow for higher thresholds. We model dynamic threshold signature schemes, where the probability of a user or attacker obtaining signatures decays with time. A dynamic threshold signature scheme is optimal, and increasing security or usability allows for higher thresholds and longer time locks.

翻译：暂无翻译