Expand description
FROST implementation.
This follows the v14 draft specification: draft-irtf-cfrg-frost-14
FROST is a threshold Schnorr signature scheme: the group private key is split into individual signer shares. If enough signers (with a configurable threshold) collaborate, then they can conjointly generate a signature on a given message. The individual signers do not have to trust each other (the protocol is resilient to actively malicious signers, who may at worst prevent the generation of a valid signature). Output signatures are “plain” Schnorr signatures, verifiable against the group public key. When the ciphersuite is FROST(Ed25519, SHA-512), the generated signatures can also be successfully verified with a plain Ed25519 verifier (as per RFC 8032); the same applies to FROST(Ed448, SHAKE256) relatively to Ed448 verifiers (also as defined in RFC 8032).
Single-signer usage is also supported: message signatures can be generated from the group private key itself. In distributed signature usage, nobody knows the group private key itself once it has been split into individual signer key shares.
Sub-modules are defined for several ciphersuites:
ed25519
: FROST(Ed25519, SHA-512)ristretto255
: FROST(ristretto255, SHA-512)ed448
: FROST(Ed448, SHAKE256)p256
: FROST(P-256, SHA-256)secp256k1
: FROST(secp256k1, SHA-256)
All sub-modules implement the same API, with the following types:
GroupPrivateKey
: a group private keyGroupPublicKey
: a group public keySignerPrivateKeyShare
: an individual signer’s private key shareSignerPublicKey
: an individual signer’s public keyKeySplitter
: tagging structure for the trusted dealer, who splits the group private key into individual key sharesVSSElement
: an element of the VSS commitment produced by the trusted dealer (the VSS commitment allows individual signers to validate that their private key share was properly generated)Coordinator
: the permanent state of a coordinator, who organizes the signature generation and assembles the signature shares (that state consists of the signature threshold and the group public key)Nonce
: a per-signature nonce produced by an individual signerCommitment
: a per-signature commitment produced by an individual signerSignatureShare
: a signature share, produced by an individual signerSignature
: a generated FROST signature
All the types that are meant to be either transmitted or stored on a
non-volatile medium have encoding and decoding functions; the encoding
functions return a fixed-size array of bytes (the size is published as
the ENC_LEN
constant in the structure) while the decoding function
takes as input a slice of bytes and returns an Option
type.
Sample code using the FROST API is available in frost-sample.rs.
The implementation of all operations involving secret values is constant-time.
Modules
- FROST(Ed448, SHAKE256)
- FROST(Ed25519, SHA-512)
- FROST(P-256, SHA-256)
- FROST(ristretto255, SHA-512)
- FROST(secp256k1, SHA-256)