Rust implementations of 'Two-Round Threshold Schnorr Signatures with FROST'.
Unlike signatures in a single-party setting, threshold signatures require cooperation among a threshold number of signers, each holding a share of a common private key. The security of threshold schemes in general assume that an adversary can corrupt strictly fewer than a threshold number of participants.
'Two-Round Threshold Schnorr Signatures with FROST' presents a variant of a Flexible Round-Optimized Schnorr Threshold (FROST) signature scheme originally defined in FROST20. FROST reduces network overhead during threshold signing operations while employing a novel technique to protect against forgery attacks applicable to prior Schnorr-based threshold signature constructions.
Besides FROST itself, this repository also provides:
- Trusted dealer key generation as specified in the appendix of 'Two-Round Threshold Schnorr Signatures with FROST';
- Distributed key generation as specified in the original paper FROST20;
- Repairable Threshold Scheme (RTS) from 'A Survey and Refinement of Repairable Threshold Schemes' which allows a participant to recover a lost share with the help of a threshold of other participants;
- Rerandomized FROST (paper under review).
- Refresh Share functionality using a Trusted Dealer. This can be used to refresh the shares of the participants or to remove a participant.
Refer to the ZF FROST book.
The FROST specification is not yet finalized, though no significant changes are expected at this point. This code base has been partially audited by NCC, see below for details. The APIs and types in the crates contained in this repository follow SemVer guarantees.
NCC performed an audit of the v0.6.0 release (corresponding to commit 5fa17ed) of the following crates:
- frost-core
- frost-ed25519
- frost-ed448
- frost-p256
- frost-secp256k1
- frost-ristretto255
This includes key generation (both trusted dealer and DKG) and FROST signing. This does not include frost-secp256k1-tr and rerandomized FROST.
The parts of the
Ed448-Goldilocks
dependency that are used by frost-ed448
were also in scope, namely the
elliptic curve operations.
All issues identified in the audit were addressed by us and reviewed by NCC.
frost-core
implements the base traits and types in a generic manner, to enable top-level
implementations for different ciphersuites / curves without having to implement all of FROST from
scratch. End-users should not use frost-core
if they want to sign and verify signatures, they
should use the crate specific to their ciphersuite/curve parameters that uses frost-core
as a
dependency.