We describe robust high-throughput threshold protocols for generating Schnorr signatures

in an asynchronous setting with potentially hundreds of parties. The protocols run a single

message-independent interactive ephemeral randomness generation procedure (i.e., DKG) followed by non-interactive signature generation for multiple messages, at a communication cost

similar to one execution of a synchronous non-robust protocol in prior work (e.g., Gennaro et

al.) and with a large number of parties (ranging from few tens to hundreds and more). Our

protocols extend seamlessly to the dynamic/proactive setting where each run of the protocol

uses a new committee with refreshed shares of the secret key; in particular, they support large

committees periodically sampled from among the overall population of parties and the required

secret state is transferred to the selected parties. The protocols work over a broadcast channel

and are robust (provide guaranteed output delivery) even over asynchronous networks.

The combination of these features makes our protocols a good match for implementing

a signature service over a public blockchain with many validators, where guaranteed output

delivery is an absolute must. In that setting, there is a system-wide public key, where the

corresponding secret signature key is distributed among the validators. Clients can submit

messages (under suitable controls, e.g., smart contracts), and authorized messages are signed

relative to the global public key.

Asymptotically, when running with committees of n parties, our protocols can generate Ω(n

2

)

signatures per run, while providing resilience against Ω(n) corrupted nodes and broadcasting

only O(n

2

) group elements and scalars (hence O(1) elements per signature).

We prove the security of our protocols via a reduction to the hardness of the discrete logarithm problem in the random oracle model.