chains_sdk/threshold/frost/mod.rs
1//! **FROST** — Flexible Round-Optimized Schnorr Threshold Signatures (RFC 9591).
2//!
3//! T-of-N threshold Schnorr signature protocol. Any `t` of `n` participants
4//! can collaboratively produce a valid Schnorr signature without any single
5//! party holding the full secret key.
6//!
7//! Implements the `FROST(secp256k1, SHA-256)` ciphersuite.
8//!
9//! # Protocol Overview
10//!
11//! 1. **Key Generation**: A trusted dealer splits a group secret into `n` shares
12//! using Shamir secret sharing. Each participant receives a `KeyPackage`.
13//!
14//! 2. **Round 1 — Commitment**: Each participant generates random nonces and
15//! broadcasts commitments: `(D_i, E_i) = (G*d_i, G*e_i)`.
16//!
17//! 3. **Round 2 — Signing**: Each participant computes a partial signature share
18//! `z_i = d_i + ρ_i*e_i + λ_i*s_i*c`.
19//!
20//! 4. **Aggregation**: The coordinator sums all signature shares to produce
21//! a standard Schnorr signature `(R, s)`.
22//!
23//! # Example
24//! ```no_run
25//! use chains_sdk::threshold::frost::{keygen, signing};
26//!
27//! fn main() -> Result<(), Box<dyn std::error::Error>> {
28//! // Dealer generates 2-of-3 key shares
29//! let secret = [0x42u8; 32];
30//! let kgen = keygen::trusted_dealer_keygen(&secret, 2, 3)?;
31//!
32//! // Participants 1 and 3 sign a message
33//! let msg = b"Hello FROST";
34//! let nonce1 = signing::commit(&kgen.key_packages[0])?;
35//! let nonce3 = signing::commit(&kgen.key_packages[2])?;
36//!
37//! let commitments = vec![nonce1.commitments.clone(), nonce3.commitments.clone()];
38//! let share1 = signing::sign(&kgen.key_packages[0], nonce1, &commitments, msg)?;
39//! let share3 = signing::sign(&kgen.key_packages[2], nonce3, &commitments, msg)?;
40//!
41//! let sig = signing::aggregate(&commitments, &[share1, share3], &kgen.group_public_key, msg)?;
42//! assert!(signing::verify(&sig, &kgen.group_public_key, msg)?);
43//! Ok(())
44//! }
45//! ```
46
47pub mod dkg;
48pub mod keygen;
49pub mod refresh;
50pub mod signing;