I’ve always learned best by watching things work.
Not reading about them. Not studying diagrams in a paper. Actually seeing the values change, the data flow between parties, the math resolve into something I can verify with my own tools.
When I started studying threshold ECDSA seriously — specifically the DKLS23 protocol I wrote about in my last post — I hit a wall. The paper is rigorous and well-written, but it’s a paper. Dense notation, formal proofs, and a level of abstraction that makes it hard to connect the theory to what’s actually happening when two parties cooperate to sign a message.
So I built something to bridge that gap.
What tss-ceremony Does
tss-ceremony is an interactive terminal application — a TUI built with Go and Bubbletea — that animates a complete DKLS23 2-of-2 threshold ECDSA signing ceremony over the secp256k1 curve.
Every value is real. The keys are real. The nonces are real. The oblivious transfers, the multiplicative-to-additive conversions, the partial signatures — all computed live. And when the ceremony finishes, it produces a standard ECDSA signature you can verify yourself with OpenSSL.
That last part matters to me. It’s one thing to watch an animation and trust that the math is correct. It’s far better to take the output and prove it.
Walking Through the Ceremony
The animation breaks the DKLS23 protocol into 20 scenes, each one focusing on a specific step.
Scenes 0–4 cover key generation. You watch Party A (rendered in cyan) and Party B (magenta) each generate their secret shares. Then you see the Diffie-Hellman exchange that produces the phantom public key — the shared key that neither party holds alone. The hex values roll in progressively, grouped in 8-character blocks, so you can actually track what’s being computed.
Scenes 5–11 are the signing ceremony itself. Message hashing, nonce generation, nonce commitment, the oblivious transfer simulation, MtA conversion, and partial signature computation. This is where the protocol earns its reputation. You see how two parties who never share their secrets can still cooperate to produce a valid signature.
Scenes 12–13 handle verification and demonstrate why threshold signatures resist attacks that would break naive multi-signature approaches.
Scene 14 ties it all together. The final signature assembly and a one-liner you can paste into your terminal to verify with OpenSSL.
Scenes 15–19 are a bonus comparison with FROST — a Schnorr-based threshold scheme — shown side by side with the DKLS23 approach. Same curve, different math. It’s useful context for understanding why ECDSA threshold signing is harder than Schnorr and why DKLS23’s approach to that problem is elegant.
The Design Decisions
A few choices shaped how this tool works.
Real crypto, not mock data. The protocol layer in protocol/ is pure cryptographic logic with no TUI dependencies. It computes actual ECDSA operations over secp256k1 using the same elliptic curve library (decred/dcrd/dcrec/secp256k1/v4) that powers Bitcoin and Ethereum tooling. The TUI layer in tui/ animates those real values.
Deterministic mode. Running tss-ceremony --fixed uses fixed key material (with random nonces) so you get reproducible output. Useful for testing, recording demos, and comparing runs.
Educational OT. The oblivious transfer implementation is simplified for clarity, not production security. This is a teaching tool, not a signing service. I wanted someone watching the animation to understand what OT accomplishes and why it’s needed, even if the implementation itself wouldn’t survive a real-world threat model.
Speed control. You can run the animation slow, normal, or fast. You can pause with spacebar, skip ahead with enter, or quit with q. The ceremony is meant to be watched at whatever pace helps you learn.
Who This Is For
If you’re a developer who works with cryptographic signing and you’ve heard the term “threshold signatures” but never dug into the protocol details — this is for you.
If you’re a security engineer evaluating MPC-based key management solutions and you want to understand what’s happening under the hood before you trust a vendor’s implementation — this is for you.
If you’re a student or a curious developer who wants to see real elliptic curve cryptography computed in real time, with values you can cross-reference against the DKLS23 paper — this is especially for you.
go install github.com/DisplaceTech/tss-ceremony@latestRun it. Watch the hex roll. Verify the signature yourself.
In the next post, I’ll share the story of how this tool was actually built — including what went wrong when AI agents took the first pass at the implementation. It also taught me some important lessons about supervising autonomous code generation.