TechTalk: Threshold Cryptography with Jan Kvapil (MUNI)

The Talsec Mobile App Security Conference in Prague was a two-day, invite-only event on fraud, malware, and API abuse in modern mobile apps, held at Chateau St. Havel on November 3–4, 2025, and hosted by Talsec, freeRASP, and partners. It brought together leading experts and practitioners to strengthen the mobile AppSec community, connect engineers with attackers and defenders, and share practical techniques for high‑stakes sectors like banking, fintech, and e‑government.

Jan Kvapil delivered a keynote on threshold cryptography, presenting it as an orthogonal defense mechanism against single-point-of-failure attacks, particularly in high-security applications like mobile banking.

Key Protection in a Compromised World: An Introduction to Threshold Cryptography

Many mobile banking applications rely on a single private key stored on a user’s device to represent digital identity and authorize transactions. The backend verifies each transaction by validating a digital signature generated using this key.

This model fails when an attacker compromises the device. If advanced malware or a zero-day exploit bypasses all defenses—including RASP, anti-malware protections, and even hardware-backed key storage—the attacker gains access to the private key. With that key, fraudulent transactions can be digitally signed in a way that appears fully legitimate to the backend. The risk escalates further if the attacker exfiltrates the key, enabling continued abuse even after the device is secured or replaced.

Threshold Cryptography: Splitting the Secret

Threshold cryptography (TC) mitigates single-device compromise by splitting a private key into multiple cryptographic shares. These shares are distributed across multiple devices, such as a user’s phone, laptop, a trusted partner’s device, or a backend service. The full private key never exists in one place.

When a transaction requires authorization, participating devices perform a coordinated cryptographic protocol to jointly produce a digital signature. The resulting signature remains fully backward-compatible: the backend verifies it exactly as it would a signature generated by a single private key, requiring no changes to existing verification logic.

Defense Against Device Compromise

Threshold cryptography prevents attackers from forging valid signatures when only one device is compromised. Possession of a single key share provides no ability to sign transactions independently, and any attempt to do so fails backend verification.

In multi-party configurations, signing also requires active participation from other trusted devices or parties. This design introduces an additional layer of protection, as suspicious signing requests can be detected and blocked by other participants. A successful attack requires compromising enough devices to meet the configured threshold, such as both devices in a two-out-of-two setup.

Underlying Principles: Shamir Secret Sharing

Threshold cryptography commonly relies on Shamir Secret Sharing. This method splits a secret into n shares such that only a minimum threshold t can reconstruct or use the secret, while any group smaller than t gains no information. The concept is often illustrated geometrically: just as two points are required to define a line and determine its intercept, multiple shares are required to recover or act on the secret value.

The Current State of Threshold Cryptography

Threshold cryptography has existed since the 1980s and 1990s and reflects long-standing real-world security practices, such as requiring multiple keys to access sensitive assets. Adoption is accelerating due to several factors:

• Cryptocurrency: Threshold cryptography protects against irreversible loss of funds caused by lost private keys.

• National Authentication Systems: Estonia uses a two-out-of-two RSA signing scheme split between a national authority and the user.

• Standardization: NIST is actively soliciting proposals for multi-party threshold cryptography, driving interoperability and broader adoption.

The MISIN Platform

The MISIN platform demonstrates threshold cryptography in practice. It is a fully open-source, proof-of-concept implementation available on GitHub and intended for developers and security teams rather than production use.

Key capabilities include:

• Cross-Platform Support: Built with Flutter and running on Android, Windows, macOS, and Linux.

• Integration Demonstrations: Compatibility with standard interfaces such as PKCS#11 enables use cases like SSH login signing.

• Flexible Group Configuration: Users can define participant groups, set signing thresholds (e.g., two out of three), and select cryptographic protocols.

Conclusion

Threshold cryptography provides an effective defense against single-key compromise by requiring multiple devices or parties to participate in cryptographic decisions. When strong private key protection is essential, distributing trust across devices significantly raises the bar for attackers and reduces the impact of individual device compromise.

Thank Jan you for showcasing how threshold cryptography can protect digital identities by eliminating single-key failure points. Your work demonstrates how multi-device signing and shared trust significantly raise the bar for attackers and highlights why modern security architectures must move beyond device-centric key protection models as well!