Paper 2022/1636

Threshold Signatures with Private Accountability

Dan Boneh, Stanford University
Chelsea Komlo, University of Waterloo

Existing threshold signature schemes come in two flavors: (i) fully private, where the signature reveals nothing about the set of signers that generated the signature, and (ii) accountable, where the signature completely identifies the set of signers. In this paper we propose a new type of threshold signature, called TAPS, that is a hybrid of privacy and accountability. A TAPS signature is fully private from the public's point of view. However, an entity that has a secret tracing key can trace a signature to the threshold of signers that generated it. A TAPS makes it possible for an organization to keep its inner workings private, while ensuring that signers are accountable for their actions. We construct a number of TAPS schemes. First, we present a generic construction that builds a TAPS from any accountable threshold signature. This generic construction is not efficient, and we next focus on efficient schemes based on standard assumptions. We build two efficient TAPS schemes (in the random oracle model) based on the Schnorr signature scheme. We conclude with a number of open problems relating to efficient TAPS.

Available format(s)
Cryptographic protocols
Publication info
A minor revision of an IACR publication in CRYPTO 2022
threshold signatures multisignatures Schnorr signatures
Contact author(s)
dabo @ cs stanford edu
ckomlo @ uwaterloo ca
2022-11-25: approved
2022-11-24: received
See all versions
Short URL
Creative Commons Attribution


      author = {Dan Boneh and Chelsea Komlo},
      title = {Threshold Signatures with Private Accountability},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1636},
      year = {2022},
      doi = {10.1007/978-3-031-15985-5_19},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.