Is Shoup's Practical Threshold Signatures considered secure?

Question

I am planning to use threshold cryptography in a Java application. So far, I have only found ThresSig and a ECDSA implementation used in TwoFactorBtcWallet. However, ThresSig is based on a 15-years old scheme, Shoup's Practical Threshold Signatures, and I can't figure out how to re-use the aforementioned ECDSA implementation for my own needs (I am not even sure if the code supports more than 2 parties).

Are Shoup's Practical Threshold Signatures considered secure nowadays? Are there any well-known pitfalls or recommendation on sizes, etc.? If not, is ECDSA an appropriate building block and how?

Answer 1

Shoup proved security of his scheme in the random oracle model, which means that it should be "as secure" as RSA itself assuming you use a sufficiently strong hash function, which today should be SHA-2.

More important than the scheme itself, any implementation should be considered with some suspicion given the substantial history of buggy cryptosystems in the world; RSA is at least a tiny bit more forgiving than DSA/ECDSA in this regard.

In any case, I would suspect that threshold schemes, given their relative complexity, have some potential for side channel attacks, e.g., on timing.

Unless you require actual threshold signature capability, in which case one really needs to understand the schemes and implementations in depth, I would suggest using alternative methods that accomplish the same goal.

For example, one can simulate $t$-of-$n$ threshold signatures by issuing $n$ certificates and requiring that any $t$ of them sign a message before accepting that message. This unfortunately sacrifices some properties of threshold signatures (e.g., privacy) but can be more easily implemented using standard libraries.