Overview

Latest News: Published report of late 2024 Developers Meeting (12/11/24). Published report of 2024 FROST Implementers Meeting, including slide decks, key quotes, key URLs, rough transcript, and rough summary (9/24/24). Sign up to our Gordian Developers mailing list or Signal channel to receive invitations for future meetings.

FROST (Flexible Round-Optimized Schnorr Threshold Signatures) is a threshold signature scheme built on Schnorr signatures that allows for “T of N” signers, each of whom hold a share of a private key, to produce a valid signature for that private key. Because of its foundation in Schnorr, it has several interesting characteristics, such as signature aggregation, where a set of signatures look exactly the same as a single signature. Beyond that, FROST improves on the fundamentals of Schnorr through improved network efficiency and protection against forgery attacks.

Upcoming Events

We are already considering agendas for 2025 FROST meetings. Sign up to our Gordian Developers mailing list or Signal channel to receive notification.

Why is FROST Important?

Using a Schnorr-enabled signature scheme allows for many advantages including compactness and faster verification as well as the use of signature aggregation, adapter signatures, blind signatures, and threshold signatures. Each of these elements adds vital tools to the toolkit of a signature designer.

Some of the biggest benefits come from the threshold signatures at the heart of FROST, which improve the resilience of digital assets. Traditionally, multisigs or Shamir’s Secret Sharing were used to create this type of resilience, but they each had limitations. Multisigs could become quite large as more signatures were added, while Shamir’s Secret Sharing created vulnerabilities on reconstruction (and also had a history of problematic implementations). FROST resolves size issues with its aggregate signatures (which are always the same size), while the Distributed Key Generation (DKG) methodology creates keys that are never in one place!

How is FROST Better than Extant Technologies?

  • Advantages over Bitcoin Multisigs.
    • Better privacy: on-chain footprint is always a single key and a single signature, regardless of configuration
    • Lower fees: redeem scripts are much smaller than script-based multisig
    • Off-chain resharing: repair, refresh, enroll, disenroll, and modify the threshold without moving funds, incurring fees, or exposing private information
  • Advantages over Shamir Secret Sharing.
    • No trusted dealer
    • No secret reconstruction

How Does FROST Work?

FROST is fully described in a paper by Chelsea Komlo and Ian Goldberg. Some of the fundamental elements of FROST are:

Schnorr Signatures. A signature scheme based on finite fields rather than prime numbers. Besides being very elegant, Schnorr signatures have numerous other advantages, as discussed in “Musings of a Trust Architect: A Layperson’s Intro to Schnorr”.

Signature Aggregation. One of the advantages of Schnorr signatures it that they can easily be added to or subtracted from each other as part of their finite field operations, creating signature aggregation where all signatures are the same size, no matter how many signatures they contain.

Distributed Key Generation (DKG). One of the core features of FROST is Distributed Key Generation: rather than a key being created, then broken apart to allow for threshold signing with the shares, the shares are instead each created individually. This means that the full key never exists in a single place.

Trusted Dealer Generation. This is the traditional methodology for generating shares, where a key is created then broken apart by a “trusted dealer”. Some FROST implementations such as ZF FROST also support this methodology, creating a bridge between traditional use of Shamir’s Secret Sharing and the use of DKG in FROST.

Verifiable Secret Sharing (VSS). A methodology for verifying the existence of shares without reconstruting a secret. FROST uses a VSS protocol invented by Paul Feldmann.

Emerging Features. At our first FROST Meeting for Developers & Implementers, Jesse Posner talked about some of the emerging features of FROST. This included being able to proactively refresh or repair secret shares or even change the threshold up or down, all without changing the underlying secret. This is the sort of content that we hope to share at future Implementer Round Tables, to ensure that all FROST implementers have the opportunity to use FROST to its fullest capability.

Events

The Blockchain Commons FROST events bring together principals in the space to advance the technology. Each event is fully documented with videos, slidedecks, summaries, and key quotes.

Implementers RT 1 (2023): Our first Round Table allowed implementers to discuss a variety of issues related to FROST. Implementers RT 2 (2024): Our second Round Table includes presentations from six FROST implementers on their projects.
Developers Meeting 1 (2024): Jesse Posner & Christopher Allen overviewed FROST in our first meeting for wallet developers. Developers Meeting 2 (2024): An introduction, UX challenges, the UNiFFI SDK, and a FROST Federation were at our second meeting for wallet developers.

Videos

FROST/Gordian Overview:
FROST Round Table 1:
FROST Developers 1:
FROST Round Table 2:
FROST Developers 2:

Sponsors

Blockchain Commons’ 2024 work on FROST has been sponsored by the Human Rights Foundation.

Intro:

Developer Resources:

Developer Reference Libraries:


Snowflake icons courtesy of free design file.