Internet-Draft	FROST	May 2023
Connolly, et al.	Expires 9 November 2023	[Page]

Workgroup:: CFRG
Internet-Draft:: draft-irtf-cfrg-frost-13
Published:: 8 May 2023
Intended Status:: Informational
Expires:: 9 November 2023
Authors:: D. Connolly

Zcash Foundation

C. Komlo

University of Waterloo, Zcash Foundation

I. Goldberg

University of Waterloo

C. A. Wood

Cloudflare

Two-Round Threshold Schnorr Signatures with FROST

Abstract

This document specifies the Flexible Round-Optimized Schnorr Threshold (FROST) signing protocol. FROST signatures can be issued after a threshold number of entities cooperate to compute a signature, allowing for improved distribution of trust and redundancy with respect to a secret key. FROST depends only on a prime-order group and cryptographic hash function. This document specifies a number of ciphersuites to instantiate FROST using different prime-order groups and hash functions. One such ciphersuite can be used to produce signatures that can be verified with an Edwards-Curve Digital Signature Algorithm (EdDSA, as defined in RFC8032) compliant verifier. However, unlike EdDSA, the signatures produced by FROST are not deterministic. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.¶

Discussion Venues

This note is to be removed before publishing as an RFC.¶

Discussion of this document takes place on the Crypto Forum Research Group mailing list (cfrg@ietf.org), which is archived at https://mailarchive.ietf.org/arch/search/?email_list=cfrg.¶

Source for this draft and an issue tracker can be found at https://github.com/cfrg/draft-irtf-cfrg-frost.¶

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶

This Internet-Draft will expire on 9 November 2023.¶

Copyright Notice

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶

▲

1. Introduction

RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH The source for this draft is maintained in GitHub. Suggested changes should be submitted as pull requests at https://github.com/cfrg/draft-irtf-cfrg-frost. Instructions are on that page as well.¶

Unlike signatures in a single-party setting, threshold signatures require cooperation among a threshold number of signing participants each holding a share of a common private key. The security of threshold schemes in general assumes that an adversary can corrupt strictly fewer than a threshold number of signer participants.¶

This document specifies the Flexible Round-Optimized Schnorr Threshold (FROST) signing protocol based on the original work in [FROST20]. FROST reduces network overhead during threshold signing operations while employing a novel technique to protect against forgery attacks applicable to prior Schnorr-based threshold signature constructions. FROST requires two rounds to compute a signature. Single-round signing variants based on [FROST20] are out of scope.¶

FROST depends only on a prime-order group and cryptographic hash function. This document specifies a number of ciphersuites to instantiate FROST using different prime-order groups and hash functions. Two ciphersuites can be used to produce signatures that are compatible with Edwards-Curve Digital Signature Algorithm (EdDSA) variants Ed25519 and Ed448 as specified in [RFC8032], i.e., the signatures can be verified with an [RFC8032] compliant verifier. However, unlike EdDSA, the signatures produced by FROST are not deterministic, since deriving nonces deterministically allows for a complete key-recovery attack in multi-party discrete logarithm-based signatures.¶

Key generation for FROST signing is out of scope for this document. However, for completeness, key generation with a trusted dealer is specified in Appendix D.¶

This document represents the consensus of the Crypto Forum Research Group (CFRG). It is not an IETF product and is not a standard.¶

1.1. Change Log

draft-12¶

Address RGLC feedback (#399, #396, #395, #394, #393, #384, #382, #397, #378, #376, #375, #374, #373, #371, #370, #369, #368, #367, #366, #364, #363, #362, #361, #359, #358, #357, #356, #354, #353, #352, #350, #349, #348, #347, #314)¶
Fix bug in signature share serialization (#397)¶
Fix various editorial issues (#385)¶

draft-11¶

Update version string constant (#307)¶
Make SerializeElement reject the identity element (#306)¶
Make ciphersuite requirements explicit (#302)¶
Fix various editorial issues (#303, #301, #299, #297)¶

draft-10¶

Update version string constant (#296)¶
Fix some editorial issues from Ian Goldberg (#295)¶

draft-09¶

Add single-signer signature generation to complement RFC8032 functions (#293)¶
Address Thomas Pornin review comments from https://mailarchive.ietf.org/arch/msg/crypto-panel/bPyYzwtHlCj00g8YF1tjj-iYP2c/ (#292, #291, #290, #289, #287, #286, #285, #282, #281, #280, #279, #278, #277, #276, #275, #273, #272, #267)¶
Correct Ed448 ciphersuite (#246)¶
Various editorial changes (#241, #240)¶

draft-08¶

Add notation for Scalar multiplication (#237)¶
Add secp2561k1 ciphersuite (#223)¶
Remove RandomScalar implementation details (#231)¶
Add domain separation for message and commitment digests (#228)¶

draft-07¶

Fix bug in per-rho signer computation (#222)¶

draft-06¶

Make verification a per-ciphersuite functionality (#219)¶
Use per-signer values of rho to mitigate protocol malleability (#217)¶
Correct prime-order subgroup checks (#215, #211)¶
Fix bug in ed25519 ciphersuite description (#205)¶
Various editorial improvements (#208, #209, #210, #218)¶

draft-05¶

Update test vectors to include version string (#202, #203)¶
Rename THRESHOLD_LIMIT to MIN_PARTICIPANTS (#192)¶
Use non-contiguous signers for the test vectors (#187)¶
Add more reasoning why the coordinator MUST abort (#183)¶
Add a function to generate nonces (#182)¶
Add MUST that all participants have the same view of VSS commitment (#174)¶
Use THRESHOLD_LIMIT instead of t and MAX_PARTICIPANTS instead of n (#171)¶
Specify what the dealer is trusted to do (#166)¶
Clarify types of NUM_PARTICIPANTS and THRESHOLD_LIMIT (#165)¶
Assert that the network channel used for signing should be authenticated (#163)¶
Remove wire format section (#156)¶
Update group commitment derivation to have a single scalarmul (#150)¶
Use RandomNonzeroScalar for single-party Schnorr example (#148)¶
Fix group notation and clarify member functions (#145)¶
Update existing implementations table (#136)¶
Various editorial improvements (#135, #143, #147, #149, #153, #158, #162, #167, #168, #169, #170, #175, #176, #177, #178, #184, #186, #193, #198, #199)¶

draft-04¶

Added methods to verify VSS commitments and derive group info (#126, #132).¶
Changed check for participants to consider only nonnegative numbers (#133).¶
Changed sampling for secrets and coefficients to allow the zero element (#130).¶
Split test vectors into separate files (#129)¶
Update wire structs to remove commitment shares where not necessary (#128)¶
Add failure checks (#127)¶
Update group info to include each participant's key and clarify how public key material is obtained (#120, #121).¶
Define cofactor checks for verification (#118)¶
Various editorial improvements and add contributors (#124, #123, #119, #116, #113, #109)¶

draft-03¶

Refactor the second round to use state from the first round (#94).¶
Ensure that verification of signature shares from the second round uses commitments from the first round (#94).¶
Clarify RFC8032 interoperability based on PureEdDSA (#86).¶
Specify signature serialization based on element and scalar serialization (#85).¶
Fix hash function domain separation formatting (#83).¶
Make trusted dealer key generation deterministic (#104).¶
Add additional constraints on participant indexes and nonce usage (#105, #103, #98, #97).¶
Apply various editorial improvements.¶

draft-02¶

Fully specify both rounds of FROST, as well as trusted dealer key generation.¶
Add ciphersuites and corresponding test vectors, including suites for RFC8032 compatibility.¶
Refactor document for editorial clarity.¶

draft-01¶

Specify operations, notation and cryptographic dependencies.¶

draft-00¶

Outline CFRG draft based on draft-komlo-frost.¶

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶

The following notation is used throughout the document.¶

byte: A sequence of eight bits.¶
random_bytes(n): Outputs n bytes, sampled uniformly at random using a cryptographically secure pseudorandom number generator (CSPRNG).¶
count(i, L): Outputs the number of times the element i is represented in the list L.¶
len(l): Outputs the length of list l, e.g., len([1,2,3]) = 3.¶
reverse(l): Outputs the list l in reverse order, e.g., reverse([1,2,3]) = [3,2,1].¶
range(a, b): Outputs a list of integers from a to b-1 in ascending order, e.g., range(1, 4) = [1,2,3].¶
pow(a, b): Outputs the result, a Scalar, of a to the power of b, e.g., pow(2, 3) = 8 modulo the relevant group order p.¶
|| denotes concatenation of byte strings, i.e., x || y denotes the byte string x, immediately followed by the byte string y, with no extra separator, yielding xy.¶
nil denotes an empty byte string.¶

Unless otherwise stated, we assume that secrets are sampled uniformly at random using a cryptographically secure pseudorandom number generator (CSPRNG); see [RFC4086] for additional guidance on the generation of random numbers.¶

3. Cryptographic Dependencies

FROST signing depends on the following cryptographic constructs:¶

Prime-order Group, Section 3.1;¶
Cryptographic hash function, Section 3.2;¶

These are described in the following sections.¶

3.1. Prime-Order Group

FROST depends on an abelian group of prime order p. We represent this group as the object G that additionally defines helper functions described below. The group operation for G is addition + with identity element I. For any elements A and B of the group G, A + B = B + A is also a member of G. Also, for any A in G, there exists an element -A such that A + (-A) = (-A) + A = I. For convenience, we use - to denote subtraction, e.g., A - B = A + (-B). Integers, taken modulo the group order p, are called scalars; arithmetic operations on scalars are implicitly performed modulo p. Since p is prime, scalars form a finite field. Scalar multiplication is equivalent to the repeated application of the group operation on an element A with itself r-1 times, denoted as ScalarMult(A, r). We denote the sum, difference, and product of two scalars using the +, -, and * operators, respectively. (Note that this means + may refer to group element addition or scalar addition, depending on the type of the operands.) For any element A, ScalarMult(A, p) = I. We denote B as a fixed generator of the group. Scalar base multiplication is equivalent to the repeated application of the group operation on B with itself r-1 times, this is denoted as ScalarBaseMult(r). The set of scalars corresponds to GF(p), which we refer to as the scalar field. It is assumed that group element addition, negation, and equality comparison can be efficiently computed for arbitrary group elements.¶

This document uses types Element and Scalar to denote elements of the group G and its set of scalars, respectively. We denote Scalar(x) as the conversion of integer input x to the corresponding Scalar value with the same numeric value. For example, Scalar(1) yields a Scalar representing the value 1. Moreover, we use the type NonZeroScalar to denote a Scalar value that is not equal to zero, i.e., Scalar(0). We denote equality comparison of these types as == and assignment of values by =. When comparing Scalar values, e.g., for the purposes of sorting lists of Scalar values, the least nonnegative representation mod p is used.¶

We now detail a number of member functions that can be invoked on G.¶

Order(): Outputs the order of G (i.e., p).¶
Identity(): Outputs the identity Element of the group (i.e., I).¶
RandomScalar(): Outputs a random Scalar element in GF(p), i.e., a random scalar in [0, p - 1].¶
ScalarMult(A, k): Outputs the scalar multiplication between Element A and Scalar k.¶
ScalarBaseMult(k): Outputs the scalar multiplication between Scalar k and the group generator B.¶
SerializeElement(A): Maps an Element A to a canonical byte array buf of fixed length Ne. This function raises an error if A is the identity element of the group.¶
DeserializeElement(buf): Attempts to map a byte array buf to an Element A, and fails if the input is not the valid canonical byte representation of an element of the group. This function raises an error if deserialization fails or if A is the identity element of the group; see Section 6 for group-specific input validation steps.¶
SerializeScalar(s): Maps a Scalar s to a canonical byte array buf of fixed length Ns.¶
DeserializeScalar(buf): Attempts to map a byte array buf to a Scalar s. This function raises an error if deserialization fails; see Section 6 for group-specific input validation steps.¶

3.2. Cryptographic Hash Function

FROST requires the use of a cryptographically secure hash function, generically written as H, which is modeled as a random oracle in security proofs for the protocol (see [FROST20] and [StrongerSec22]). For concrete recommendations on hash functions which SHOULD be used in practice, see Section 6. Using H, we introduce distinct domain-separated hashes, H1, H2, H3, H4, and H5:¶

H1, H2, and H3 map arbitrary byte strings to Scalar elements associated with the prime-order group.¶
H4 and H5 are aliases for H with distinct domain separators.¶

The details of H1, H2, H3, H4, and H5 vary based on ciphersuite. See Section 6 for more details about each.¶

4. Helper Functions

Beyond the core dependencies, the protocol in this document depends on the following helper operations:¶

Nonce generation, Section 4.1;¶
Polynomials, Section 4.2;¶
Encoding operations, Section 4.3;¶
Signature binding computation Section 4.4;¶
Group commitment computation Section 4.5; and¶
Signature challenge computation Section 4.6.¶

The following sections describe these operations in more detail.¶

4.1. Nonce generation

To hedge against a bad RNG that outputs predictable values, nonces are generated with the nonce_generate function by combining fresh randomness with the secret key as input to a domain-separated hash function built from the ciphersuite hash function H. This domain-separated hash function is denoted H3. This function always samples 32 bytes of fresh randomness to ensure that the probability of nonce reuse is at most 2^-128 as long as no more than 2⁶⁴ signatures are computed by a given signing participant.¶

Inputs:
- secret, a Scalar.

Outputs:
- nonce, a Scalar.

def nonce_generate(secret):
  random_bytes = random_bytes(32)
  secret_enc = G.SerializeScalar(secret)
  return H3(random_bytes || secret_enc)

4.2. Polynomials

This section defines polynomials over Scalars that are used in the main protocol. A polynomial of maximum degree t is represented as a list of t+1 coefficients, where the constant term of the polynomial is in the first position and the highest-degree coefficient is in the last position. For example, the polynomial x^2 + 2x + 3 has degree 2 and is represented as a list of 3 coefficients [3, 2, 1]. A point on the polynomial f is a tuple (x, y), where y = f(x).¶

The function derive_interpolating_value derives a value used for polynomial interpolation. It is provided a list of x-coordinates as input, each of which cannot equal 0.¶

Inputs:
- L, the list of x-coordinates, each a NonZeroScalar.
- x_i, an x-coordinate contained in L, a NonZeroScalar.

Outputs:
- value, a Scalar.

Errors:
- "invalid parameters", if 1) x_i is not in L, or if 2) any
  x-coordinate is represented more than once in L.

def derive_interpolating_value(L, x_i):
  if x_i not in L:
    raise "invalid parameters"
  for x_j in L:
    if count(x_j, L) > 1:
      raise "invalid parameters"

  numerator = Scalar(1)
  denominator = Scalar(1)
  for x_j in L:
    if x_j == x_i: continue
    numerator *= x_j
    denominator *= x_j - x_i

  value = numerator / denominator
  return value

4.3. List Operations

This section describes helper functions that work on lists of values produced during the FROST protocol. The following function encodes a list of participant commitments into a byte string for use in the FROST protocol.¶

Inputs:
- commitment_list = [(i, hiding_nonce_commitment_i,
  binding_nonce_commitment_i), ...], a list of commitments issued by
  each participant, where each element in the list indicates a
  NonZeroScalar identifier i and two commitment Element values
  (hiding_nonce_commitment_i, binding_nonce_commitment_i). This list
  MUST be sorted in ascending order by identifier.

Outputs:
- encoded_group_commitment, the serialized representation of
  commitment_list, a byte string.

def encode_group_commitment_list(commitment_list):
  encoded_group_commitment = nil
  for (identifier, hiding_nonce_commitment,
       binding_nonce_commitment) in commitment_list:
    encoded_commitment = (
        G.SerializeScalar(identifier) ||
        G.SerializeElement(hiding_nonce_commitment) ||
        G.SerializeElement(binding_nonce_commitment))
    encoded_group_commitment = (
        encoded_group_commitment ||
        encoded_commitment)
  return encoded_group_commitment

The following function is used to extract identifiers from a commitment list.¶

Inputs:
- commitment_list = [(i, hiding_nonce_commitment_i,
  binding_nonce_commitment_i), ...], a list of commitments issued by
  each participant, where each element in the list indicates a
  NonZeroScalar identifier i and two commitment Element values
  (hiding_nonce_commitment_i, binding_nonce_commitment_i). This list
  MUST be sorted in ascending order by identifier.

Outputs:
- identifiers, a list of NonZeroScalar values.

def participants_from_commitment_list(commitment_list):
  identifiers = []
  for (identifier, _, _) in commitment_list:
    identifiers.append(identifier)
  return identifiers

The following function is used to extract a binding factor from a list of binding factors.¶

Inputs:
- binding_factor_list = [(i, binding_factor), ...],
  a list of binding factors for each participant, where each element
  in the list indicates a NonZeroScalar identifier i and Scalar
  binding factor.
- identifier, participant identifier, a NonZeroScalar.

Outputs:
- binding_factor, a Scalar.

Errors:
- "invalid participant", when the designated participant is
  not known.

def binding_factor_for_participant(binding_factor_list, identifier):
  for (i, binding_factor) in binding_factor_list:
    if identifier == i:
      return binding_factor
  raise "invalid participant"

4.4. Binding Factors Computation

This section describes the subroutine for computing binding factors based on the participant commitment list and message to be signed.¶

Inputs:
- commitment_list = [(i, hiding_nonce_commitment_i,
  binding_nonce_commitment_i), ...], a list of commitments issued by
  each participant, where each element in the list indicates a
  NonZeroScalar identifier i and two commitment Element values
  (hiding_nonce_commitment_i, binding_nonce_commitment_i). This list
  MUST be sorted in ascending order by identifier.
- msg, the message to be signed.

Outputs:
- binding_factor_list, a list of (NonZeroScalar, Scalar) tuples
  representing the binding factors.

def compute_binding_factors(commitment_list, msg):
  msg_hash = H4(msg)
  encoded_commitment_hash =
      H5(encode_group_commitment_list(commitment_list))
  rho_input_prefix = msg_hash || encoded_commitment_hash

  binding_factor_list = []
  for (identifier, hiding_nonce_commitment,
       binding_nonce_commitment) in commitment_list:
    rho_input = rho_input_prefix || G.SerializeScalar(identifier)
    binding_factor = H1(rho_input)
    binding_factor_list.append((identifier, binding_factor))
  return binding_factor_list

4.5. Group Commitment Computation

This section describes the subroutine for creating the group commitment from a commitment list.¶

Inputs:
- commitment_list = [(i, hiding_nonce_commitment_i,
  binding_nonce_commitment_i), ...], a list of commitments issued by
  each participant, where each element in the list indicates a
  NonZeroScalar identifier i and two commitment Element values
  (hiding_nonce_commitment_i, binding_nonce_commitment_i). This list
  MUST be sorted in ascending order by identifier.
- binding_factor_list = [(i, binding_factor), ...],
  a list of (NonZeroScalar, Scalar) tuples representing the binding
  factor Scalar for the given identifier.

Outputs:
- group_commitment, an Element.

def compute_group_commitment(commitment_list, binding_factor_list):
  group_commitment = G.Identity()
  for (identifier, hiding_nonce_commitment,
       binding_nonce_commitment) in commitment_list:
    binding_factor = binding_factor_for_participant(
        binding_factor_list, identifier)
    binding_nonce = G.ScalarMult(
        binding_nonce_commitment,
        binding_factor)
    group_commitment = (
        group_commitment +
        hiding_nonce_commitment +
        binding_nonce)
  return group_commitment

4.6. Signature Challenge Computation

This section describes the subroutine for creating the per-message challenge.¶

Inputs:
- group_commitment, the group commitment, an Element.
- group_public_key, the public key corresponding to the group signing
  key, an Element.
- msg, the message to be signed, a byte string.

Outputs:
- challenge, a Scalar.

def compute_challenge(group_commitment, group_public_key, msg):
  group_comm_enc = G.SerializeElement(group_commitment)
  group_public_key_enc = G.SerializeElement(group_public_key)
  challenge_input = group_comm_enc || group_public_key_enc || msg
  challenge = H2(challenge_input)
  return challenge

5. Two-Round FROST Signing Protocol

This section describes the two-round FROST signing protocol for producing Schnorr signatures. The protocol is configured to run with a selection of NUM_PARTICIPANTS signer participants and a Coordinator. NUM_PARTICIPANTS is a positive integer at least MIN_PARTICIPANTS but no larger than MAX_PARTICIPANTS, where MIN_PARTICIPANTS <= MAX_PARTICIPANTS, MIN_PARTICIPANTS is a positive non-zero integer and MAX_PARTICIPANTS is a positive integer less than the group order. A signer participant, or simply participant, is an entity that is trusted to hold and use a signing key share. The Coordinator is an entity with the following responsibilities:¶

Determining which participants will participate (at least MIN_PARTICIPANTS in number);¶
Coordinating rounds (receiving and forwarding inputs among participants); and¶
Aggregating signature shares output by each participant, and publishing the resulting signature.¶

FROST assumes that the Coordinator and the set of signer participants are chosen externally to the protocol. Note that it is possible to deploy the protocol without a distinguished Coordinator; see Section 7.5 for more information.¶

FROST produces signatures that can be verified as if they were produced from a single signer using a signing key s with corresponding public key PK, where s is a Scalar value and PK = G.ScalarBaseMult(s). As a threshold signing protocol, the group signing key s is Shamir secret-shared amongst each of the MAX_PARTICIPANTS participants and used to produce signatures; see Appendix D.1 for more information about Shamir secret sharing. In particular, FROST assumes each participant is configured with the following information:¶

An identifier, which is a NonZeroScalar value denoted i in the range [1, MAX_PARTICIPANTS] and MUST be distinct from the identifier of every other participant.¶
A signing key sk_i, which is a Scalar value representing the i-th Shamir secret share of the group signing key s. In particular, sk_i is the value f(i) on a secret polynomial f of degree (MIN_PARTICIPANTS - 1), where s is f(0). The public key corresponding to this signing key share is PK_i = G.ScalarBaseMult(sk_i).¶

The Coordinator and each participant are additionally configured with common group information, denoted "group info," which consists of the following:¶

Group public key, which is an Element in G denoted PK.¶
Public keys PK_i for each participant, which are Element values in G denoted PK_i for each i in [1, MAX_PARTICIPANTS].¶

This document does not specify how this information, including the signing key shares, are configured and distributed to participants. In general, two possible configuration mechanisms are possible: one that requires a single, trusted dealer, and the other which requires performing a distributed key generation protocol. We highlight key generation mechanism by a trusted dealer in Appendix D for reference.¶

FROST requires two rounds to complete. In the first round, participants generate and publish one-time-use commitments to be used in the second round. In the second round, each participant produces a share of the signature over the Coordinator-chosen message and the other participant commitments. After the second round completes, the Coordinator aggregates the signature shares to produce a final signature. The Coordinator SHOULD abort if the signature is invalid; see Section 5.4 for more information about dealing with invalid signatures and misbehaving participants. This complete interaction, without abort, is shown in Figure 1.¶

        (group info)            (group info,     (group info,
            |               signing key share)   signing key share)
            |                         |                |
            v                         v                v
        Coordinator               Signer-1   ...   Signer-n
    ------------------------------------------------------------
   message
------------>
            |
      == Round 1 (Commitment) ==
            | participant commitment |                 |
            |<-----------------------+                 |
            |          ...                             |
            | participant commitment            (commit state) ==\
            |<-----------------------------------------+         |
                                                                 |
      == Round 2 (Signature Share Generation) ==                 |
            |                                                    |
            |   participant input    |                 |         |
            +------------------------>                 |         |
            |     signature share    |                 |         |
            |<-----------------------+                 |         |
            |          ...                             |         |
            |    participant input                     |         |
            +------------------------------------------>         /
            |     signature share                      |<=======/
            <------------------------------------------+
            |
      == Aggregation ==
            |
  signature |
<-----------+

Figure 1: FROST protocol overview

Details for round one are described in Section 5.1, and details for round two are described in Section 5.2. Note that each participant persists some state between the two rounds, and this state is deleted as described in Section 5.2. The final Aggregation step is described in Section 5.3.¶

FROST assumes that all inputs to each round, especially those of which are received over the network, are validated before use. In particular, this means that any value of type Element or Scalar is deserialized using DeserializeElement and DeserializeScalar, respectively, as these functions perform the necessary input validation steps, and that all messages sent over the wire are encoded appropriately, e.g., that Scalars and Elements are encoded using their respective functions.¶

FROST assumes reliable message delivery between the Coordinator and participants in order for the protocol to complete. An attacker masquerading as another participant will result only in an invalid signature; see Section 7. However, in order to identify misbehaving participants, we assume that the network channel is additionally authenticated; confidentiality is not required.¶

5.1. Round One - Commitment

Round one involves each participant generating nonces and their corresponding public commitments. A nonce is a pair of Scalar values, and a commitment is a pair of Element values. Each participant's behavior in this round is described by the commit function below. Note that this function invokes nonce_generate twice, once for each type of nonce produced. The output of this function is a pair of secret nonces (hiding_nonce, binding_nonce) and their corresponding public commitments (hiding_nonce_commitment, binding_nonce_commitment).¶

Inputs:
- sk_i, the secret key share, a Scalar.

Outputs:
- (nonce, comm), a tuple of nonce and nonce commitment pairs,
  where each value in the nonce pair is a Scalar and each value in
  the nonce commitment pair is an Element.

def commit(sk_i):
  hiding_nonce = nonce_generate(sk_i)
  binding_nonce = nonce_generate(sk_i)
  hiding_nonce_commitment = G.ScalarBaseMult(hiding_nonce)
  binding_nonce_commitment = G.ScalarBaseMult(binding_nonce)
  nonces = (hiding_nonce, binding_nonce)
  comms = (hiding_nonce_commitment, binding_nonce_commitment)
  return (nonces, comms)

The outputs nonce and comm from participant P_i should both be stored locally and kept for use in the second round. The nonce value is secret and MUST NOT be shared, whereas the public output comm is sent to the Coordinator. The nonce values produced by this function MUST NOT be used in more than one invocation of sign, and the nonces MUST be generated from a source of secure randomness.¶

In round two, the Coordinator is responsible for sending the message to be signed, and for choosing which participants will participate (of number at least MIN_PARTICIPANTS). Signers additionally require locally held data; specifically, their private key and the nonces corresponding to their commitment issued in round one.¶

The Coordinator begins by sending each participant the message to be signed along with the set of signing commitments for all participants in the participant list. Each participant MUST validate the inputs before processing the Coordinator's request. In particular, the Signer MUST validate commitment_list, deserializing each group Element in the list using DeserializeElement from Section 3.1. If deserialization fails, the Signer MUST abort the protocol. Moreover, each participant MUST ensure that its identifier and commitments (from the first round) appear in commitment_list. Applications which require that participants not process arbitrary input messages are also required to perform relevant application-layer input validation checks; see Section 7.7 for more details.¶

Upon receipt and successful input validation, each Signer then runs the following procedure to produce its own signature share.¶

Inputs:
- identifier, identifier i of the participant, a NonZeroScalar.
- sk_i, Signer secret key share, a Scalar.
- group_public_key, public key corresponding to the group signing
  key, an Element.
- nonce_i, pair of Scalar values (hiding_nonce, binding_nonce)
  generated in round one.
- msg, the message to be signed, a byte string.
- commitment_list = [(i, hiding_nonce_commitment_i,
  binding_nonce_commitment_i), ...], a list of commitments issued by
  each participant, where each element in the list indicates a
  NonZeroScalar identifier i and two commitment Element values
  (hiding_nonce_commitment_i, binding_nonce_commitment_i). This list
  MUST be sorted in ascending order by identifier.


Outputs:
- sig_share, a signature share, a Scalar.

def sign(identifier, sk_i, group_public_key,
         nonce_i, msg, commitment_list):
  # Compute the binding factor(s)
  binding_factor_list = compute_binding_factors(commitment_list, msg)
  binding_factor = binding_factor_for_participant(
      binding_factor_list, identifier)

  # Compute the group commitment
  group_commitment = compute_group_commitment(
      commitment_list, binding_factor_list)

  # Compute the interpolating value
  participant_list = participants_from_commitment_list(
      commitment_list)
  lambda_i = derive_interpolating_value(participant_list, identifier)

  # Compute the per-message challenge
  challenge = compute_challenge(
      group_commitment, group_public_key, msg)

  # Compute the signature share
  (hiding_nonce, binding_nonce) = nonce_i
  sig_share = hiding_nonce + (binding_nonce * binding_factor) +
      (lambda_i * sk_i * challenge)

  return sig_share

The output of this procedure is a signature share. Each participant then sends these shares back to the Coordinator. Each participant MUST delete the nonce and corresponding commitment after completing sign, and MUST NOT use the nonce as input more than once to sign.¶

Note that the lambda_i value derived during this procedure does not change across FROST signing operations for the same signing group. As such, participants can compute it once and store it for reuse across signing sessions.¶

After participants perform round two and send their signature shares to the Coordinator, the Coordinator aggregates each share to produce a final signature. Before aggregating, the Coordinator MUST validate each signature share using DeserializeScalar. If validation fails, the Coordinator MUST abort the protocol as the resulting signature will be invalid. If all signature shares are valid, the Coordinator then aggregates them to produce the final signature using the following procedure.¶

Inputs:
- commitment_list = [(i, hiding_nonce_commitment_i,
  binding_nonce_commitment_i), ...], a list of commitments issued by
  each participant, where each element in the list indicates a
  NonZeroScalar identifier i and two commitment Element values
  (hiding_nonce_commitment_i, binding_nonce_commitment_i). This list
  MUST be sorted in ascending order by identifier.
- msg, the message to be signed, a byte string.
- sig_shares, a set of signature shares z_i, Scalar values, for each
  participant, of length NUM_PARTICIPANTS, where
  MIN_PARTICIPANTS <= NUM_PARTICIPANTS <= MAX_PARTICIPANTS.

Outputs:
- (R, z), a Schnorr signature consisting of an Element R and
  Scalar z.

def aggregate(commitment_list, msg, sig_shares):
  # Compute the binding factors
  binding_factor_list = compute_binding_factors(commitment_list, msg)

  # Compute the group commitment
  group_commitment = compute_group_commitment(
      commitment_list, binding_factor_list)

  # Compute aggregated signature
  z = Scalar(0)
  for z_i in sig_shares:
    z = z + z_i
  return (group_commitment, z)

The output from the aggregation step is the output signature (R, z). The canonical encoding of this signature is specified in Section 6.¶

The Coordinator SHOULD verify this signature using the group public key before publishing or releasing the signature. Signature verification is as specified for the corresponding ciphersuite; see Section 6 for details. The aggregate signature will verify successfully if all signature shares are valid. Moreover, subsets of valid signature shares will themselves not yield a valid aggregate signature.¶

If the aggregate signature verification fails, the Coordinator can verify each signature share individually to identify and act on misbehaving participants. The mechanism for acting on a misbehaving participant is out of scope for this specification; see Section 5.4 for more information about dealing with invalid signatures and misbehaving participants.¶

The function for verifying a signature share, denoted verify_signature_share, is described below. Recall that the Coordinator is configured with "group info" which contains the group public key PK and public keys PK_i for each participant, so the group_public_key and PK_i function arguments should come from that previously stored group info.¶

Inputs:
- identifier, identifier i of the participant, a NonZeroScalar.
- PK_i, the public key for the i-th participant, where
  PK_i = G.ScalarBaseMult(sk_i), an Element.
- comm_i, pair of Element values in G
  (hiding_nonce_commitment, binding_nonce_commitment) generated in
  round one from the i-th participant.
- sig_share_i, a Scalar value indicating the signature share as
  produced in round two from the i-th participant.
- commitment_list = [(i, hiding_nonce_commitment_i,
  binding_nonce_commitment_i), ...], a list of commitments issued by
  each participant, where each element in the list indicates a
  NonZeroScalar identifier i and two commitment Element values
  (hiding_nonce_commitment_i, binding_nonce_commitment_i). This list
  MUST be sorted in ascending order by identifier.
- group_public_key, public key corresponding to the group signing
  key, an Element.
- msg, the message to be signed, a byte string.

Outputs:
- True if the signature share is valid, and False otherwise.

def verify_signature_share(
        identifier, PK_i, comm_i, sig_share_i, commitment_list,
        group_public_key, msg):
  # Compute the binding factors
  binding_factor_list = compute_binding_factors(commitment_list, msg)
  binding_factor = binding_factor_for_participant(
      binding_factor_list, identifier)

  # Compute the group commitment
  group_commitment = compute_group_commitment(
      commitment_list, binding_factor_list)

  # Compute the commitment share
  (hiding_nonce_commitment, binding_nonce_commitment) = comm_i
  comm_share = hiding_nonce_commitment + G.ScalarMult(
      binding_nonce_commitment, binding_factor)

  # Compute the challenge
  challenge = compute_challenge(
      group_commitment, group_public_key, msg)

  # Compute the interpolating value
  participant_list = participants_from_commitment_list(
      commitment_list)
  lambda_i = derive_interpolating_value(x_list, identifier)

  # Compute relation values
  l = G.ScalarBaseMult(sig_share_i)
  r = comm_share + G.ScalarMult(PK_i, challenge * lambda_i)

  return l == r

The Coordinator can verify each signature share before first aggregating and verifying the signature under the group public key. However, since the aggregate signature is valid if all signature shares are valid, this order of operations is more expensive if the signature is valid.¶

5.4. Identifiable Abort

FROST does not provide robustness; i.e, all participants are required to complete the protocol honestly in order to generate a valid signature. When the signing protocol does not produce a valid signature, the Coordinator SHOULD abort; see Section 7 for more information about FROST's security properties and the threat model.¶

As a result of this property, a misbehaving participant can cause a denial-of-service on the signing protocol by contributing malformed signature shares or refusing to participate. Identifying misbehaving participants that produce invalid shares can be done by checking signature shares from each participant using verify_signature_share as described in Section 5.3. FROST assumes the network channel is authenticated to identify which signer misbehaved. FROST allows for identifying misbehaving participants that produce invalid signature shares as described in Section 5.3. FROST does not provide accommodations for identifying participants that refuse to participate, though applications are assumed to detect when participants fail to engage in the signing protocol.¶

In both cases, preventing this type of attack requires the Coordinator to identify misbehaving participants such that applications can take corrective action. The mechanism for acting on misbehaving participants is out of scope for this specification. However, one reasonable approach would be to remove the misbehaving participant from the set of allowed participants in future runs of FROST.¶

6. Ciphersuites

A FROST ciphersuite must specify the underlying prime-order group details and cryptographic hash function. Each ciphersuite is denoted as (Group, Hash), e.g., (ristretto255, SHA-512). This section contains some ciphersuites. Each ciphersuite also includes a context string, denoted contextString, which is an ASCII string literal (with no NULL terminating character).¶

The RECOMMENDED ciphersuite is (ristretto255, SHA-512) as described in Section 6.2. The (Ed25519, SHA-512) and (Ed448, SHAKE256) ciphersuites are included for compatibility with Ed25519 and Ed448 as defined in [RFC8032].¶

The DeserializeElement and DeserializeScalar functions instantiated for a particular prime-order group corresponding to a ciphersuite MUST adhere to the description in Section 3.1. Validation steps for these functions are described for each of the ciphersuites below. Future ciphersuites MUST describe how input validation is done for DeserializeElement and DeserializeScalar.¶

Each ciphersuite includes explicit instructions for verifying signatures produced by FROST. Note that these instructions are equivalent to those produced by a single participant.¶

Each ciphersuite adheres to the requirements in Section 6.6. Future ciphersuites MUST also adhere to these requirements.¶

6.1. FROST(Ed25519, SHA-512)

This ciphersuite uses edwards25519 for the Group and SHA-512 for the Hash function H meant to produce Ed25519-compliant signatures as specified in Section 5.1 of [RFC8032]. The value of the contextString parameter is "FROST-ED25519-SHA512-v11".¶

Group: edwards25519 [RFC8032], where Ne = 32 and Ns = 32.¶
- Order(): Return 2^252 + 27742317777372353535851937790883648493 (see [RFC7748]).¶
- Identity(): As defined in [RFC7748].¶
- RandomScalar(): Implemented by returning a uniformly random Scalar in the range [0, G.Order() - 1]. Refer to Appendix E for implementation guidance.¶
- SerializeElement(A): Implemented as specified in [RFC8032], Section 5.1.2. Additionally, this function validates that the input element is not the group identity element.¶
- DeserializeElement(buf): Implemented as specified in [RFC8032], Section 5.1.3. Additionally, this function validates that the resulting element is not the group identity element and is in the prime-order subgroup. If any of these checks fail, deserialization returns an error. The latter check can be implemented by multiplying the resulting point by the order of the group and checking that the result is the identity element. Note that optimizations for this check exist; see [Pornin22].¶
- SerializeScalar(s): Implemented by outputting the little-endian 32-byte encoding of the Scalar value with the top three bits set to zero.¶
- DeserializeScalar(buf): Implemented by attempting to deserialize a Scalar from a little-endian 32-byte string. This function can fail if the input does not represent a Scalar in the range [0, G.Order() - 1]. Note that this means the top three bits of the input MUST be zero.¶
Hash (H): SHA-512, which has 64 bytes of output¶
- H1(m): Implemented by computing H(contextString || "rho" || m), interpreting the 64-byte digest as a little-endian integer, and reducing the resulting integer modulo 2^252+27742317777372353535851937790883648493.¶
- H2(m): Implemented by computing H(m), interpreting the 64-byte digest as a little-endian integer, and reducing the resulting integer modulo 2^252+27742317777372353535851937790883648493.¶
- H3(m): Implemented by computing H(contextString || "nonce" || m), interpreting the 64-byte digest as a little-endian integer, and reducing the resulting integer modulo 2^252+27742317777372353535851937790883648493.¶
- H4(m): Implemented by computing H(contextString || "msg" || m).¶
- H5(m): Implemented by computing H(contextString || "com" || m).¶

Normally H2 would also include a domain separator, but for compatibility with [RFC8032], it is omitted.¶

Signature verification is as specified in Section 5.1.7 of [RFC8032] with the constraint that implementations MUST check the group equation [8][z]B = [8]R + [8][c]PK (changed to use the notation in this document).¶