Module crrl::frost

FROST implementation.

This follows the v14 draft specification: draft-irtf-cfrg-frost-14

FROST is a threshold Schnorr signature scheme: the group private key is split into individual signer shares. If enough signers (with a configurable threshold) collaborate, then they can conjointly generate a signature on a given message. The individual signers do not have to trust each other (the protocol is resilient to actively malicious signers, who may at worst prevent the generation of a valid signature). Output signatures are “plain” Schnorr signatures, verifiable against the group public key. When the ciphersuite is FROST(Ed25519, SHA-512), the generated signatures can also be successfully verified with a plain Ed25519 verifier (as per RFC 8032); the same applies to FROST(Ed448, SHAKE256) relatively to Ed448 verifiers (also as defined in RFC 8032).

Single-signer usage is also supported: message signatures can be generated from the group private key itself. In distributed signature usage, nobody knows the group private key itself once it has been split into individual signer key shares.

Sub-modules are defined for several ciphersuites:

• ed25519: FROST(Ed25519, SHA-512)
• ristretto255: FROST(ristretto255, SHA-512)
• ed448: FROST(Ed448, SHAKE256)
• p256: FROST(P-256, SHA-256)
• secp256k1: FROST(secp256k1, SHA-256)

All sub-modules implement the same API, with the following types:

• GroupPrivateKey: a group private key
• GroupPublicKey: a group public key
• SignerPrivateKeyShare: an individual signer’s private key share
• SignerPublicKey: an individual signer’s public key
• KeySplitter: tagging structure for the trusted dealer, who splits the group private key into individual key shares
• VSSElement: an element of the VSS commitment produced by the trusted dealer (the VSS commitment allows individual signers to validate that their private key share was properly generated)
• Coordinator: the permanent state of a coordinator, who organizes the signature generation and assembles the signature shares (that state consists of the signature threshold and the group public key)
• Nonce: a per-signature nonce produced by an individual signer
• Commitment: a per-signature commitment produced by an individual signer
• SignatureShare: a signature share, produced by an individual signer
• Signature: a generated FROST signature

All the types that are meant to be either transmitted or stored on a non-volatile medium have encoding and decoding functions; the encoding functions return a fixed-size array of bytes (the size is published as the ENC_LEN constant in the structure) while the decoding function takes as input a slice of bytes and returns an Option type.

Sample code using the FROST API is available in frost-sample.rs.

The implementation of all operations involving secret values is constant-time.

Modules

• ed448
  FROST(Ed448, SHAKE256)
• ed25519
  FROST(Ed25519, SHA-512)
• p256
  FROST(P-256, SHA-256)
• ristretto255
  FROST(ristretto255, SHA-512)
• secp256k1
  FROST(secp256k1, SHA-256)