Expand description
§WTFROST
FROST is a system for making Flexible Round Optimized Schnorr Threshold signatures. It allows a group of N parties, each of whom controls a single key, to make a valid Schnorr signature, as long as T (the threshold) of them complete the protocol honestly. While there are many other threshold signature schemes, FROST has several features which make it particularly useful in a cryptocurrency context.
First, it is optimized for a small number of rounds in the common case where there are no byzantine actors present. Since the protocol allows detection any bad actors in the system, it makes sense to optimize for the case where there are none. Such byzantine actors can be sanctioned in a way that severely disincentivezes attempts to subvert the protocol.
Second, in contrast to typical multisig protocols, FROST produces a single aggregate signature which is indistinguisable from a standard Schnorr signature. Crucially, this signature can be verified the same way as any Schnorr signature. And since the signature is aggregated, it does not take any more space on chain than any other standard signature, and linearly less than traditional multisig signatures.
§Variants
This crate provides a vanilla implementation of FROST in the v1 module, where each Party controls a single key. v1 also contains code which wraps a number of parties into a single Signer object. This allows FROST to function not only as a threshold scheme, but also a weighted threshold scheme. Each Signer is given a set of key_ids, and acts as all of the wrapped parties in the protocol. So in PoS style systems, where different actors will have power proportional to the size of their stakes, each v1::Signer will be able to vote proportionally to the number of keys it controls.
This crate also contains a version of FROST optimized for the weighted threshold scenario in the v2 module. We call this WTF, or Weighted Threshold FROST. Like vanilla FROST, WTF keeps a single polynomial and nonce for each Party, but allows each Party to control multiple keys. This allows for order-of-magnitude reductions in data size and number of messages for the distributed key generation (DKG) and signing parts of the protocol.
§p256k1
This crate uses the Bitcoin secp256k1 curve. But since the C libsecp256k1 library only provides high level interfaces for operations used by Bitcoin, it was necessary to directly expose the scalars and curve points to allow arbitrary mathematical operations outside of sign/verify. So we provide a wrapper crate around libsecp256k1 which wraps the internal interfaces to scalars and points. We call this crate p256k1, to denote that it is not only the same curve as secp256k1, but also exposes the curve directly.
§Documentation
§How to download the WTF paper using CLI
- List recent CI runs and grab the latest run ID
gh run list -R Trust-Machines/frost - Download the wtf.pdf artifact
gh run download 4246650808 -R Trust-Machines/frost -n wtf.pdf
Modules§
- bip340
- Functions for doing BIP-340 schnorr proofs
- common
- Types which are common to both v1 and v2
- compute
- Functions to perform various computations needed for v1 and v2
- ecdsa
- ECDSA operations
- errors
- Errors which are returned from objects and functions
- field
- Field elements arithmetic
- schnorr
- Schnorr utility types
- traits
- Traits which are used for v1 and v2
- util
- Utilities for hashing scalars
- v1
- Version 1 of WTFROST, which encapsulates a number of parties using vanilla FROST
- v2
- Version 2 of WTFROST, which optimizes the protocol for speed and bandwidth
- vss
- Shamir secret sharing, using in distributed key generation
Structs§
- Point
- Point is a wrapper around libsecp256k1’s internal secp256k1_gej struct. It provides a point on the secp256k1 curve in Jacobian coordinates. This allows for extremely fast curve point operations, and avoids expensive conversions from byte buffers.
- Scalar
- Scalar is a wrapper around libsecp256k1’s internal secp256k1_scalar struct. It provides a scalar modulo the group order. Storing scalars in this format avoids unnecessary conversions from byte bffers, which provides a significant performance enhancement.
Enums§
- Point
Error - Errors in point operations
- Scalar
Error - Errors in scalar operations