The second FROST Round Table occurred on September 18, 2024. Almost twenty experts in the field, including members of the ZF Frost team and the secp-zkp FROST team as well as a variety of designers working on libraries, federations, and deployments came together to talk about their experience with FROST.
For an intro to FROST, see the FROST page and “A Layperson’s Intro to Schnorr”.
Media
|
Video:
|
Presentation Slides
ChillDKG:
|
FROST Federation:
|
secp256k1-zkp:
|
Serai DEX:
|
FROST UniFFI SDK:
|
ZF FROST Updates:
|
For more, also see the rough summary or the raw transcript of the event.
Key Quotes
Quotes are drawn from raw transcripts and may not be entirely precise as a result, but convey many of the major themes of the meeting. See the video for more.
Accessibility
Using FROST: “FROST itself is straightforward, right? The algorithm. So the hard part is to use it.”
Dangers
Script Paths: “Unlike MuSig, the FROST group public key is not randomized and that means a malicious party could add an undetectable script path during the DKG.”
DKG Outputs: “It’s better not to output an x-only public key from the DKG because we really don’t want the API callers to think it’s safe to just use that directly on-chain without adding an unspendable script path.”
Signing: “We definitely want to do some negation logic during signing.”
Checking Integrity & Agreement: “An integrity property is not enough. We need an additional property and we call that agreement or to be more precise conditional agreement. … This agreement property is often an overlooked requirement in the in the FROST world.”
Networks: “You always have to trust your network.”
Efficiency
n^2: “I also wanted to share my personal opinions that protocols with N-squared complexity are too expensive to be regularly run.”
Use Cases
Mining Pools: “We want to replace the centralized Bitcoin mining pool operator with the [FROST] Federation of pool operators.”
Channels
Requirements: “It requires you to have, first of all, secure channels between the participants and, secondly and a more difficult problem, a broadcast channel between the participants.”
Distributed Key Generation
Specifications: “The RFC for Frost … does not specify a DKG.”
Public Keys
Distribution: “We’re assuming the public keys are already distributed.”
Secret Shares
Share Updates: “Can we use proactive and dynamic Secret sharing protocols? These are protocols where you can refresh shares, repair shares, add and remove participants, and increase and lower the threshold without changing the underlying secret.”
Univariate Issues with Updates: “Unless there’s a way to convert the FROST shares in the univariate polynomial shares into bivariate shares and then back again, I think we need a different type of VSS.”
Avoiding Sweeps: “Sweep transactions … are expensive and they’re bad for privacy because they link all the UTXOs together.”
Verification: “I regret not offering public verification.”
Key URLs
GitHub & Crates
- FROST Federation
- secp256k1-zkp
- Serai DEX - FROST
- ZF FROST
Specifications
Papers
- Exponent-VRFs and Their Applications (Boneh, Haitner & Lindell)
- Robust eVRF Gist (Parker)
- FROST: Flexible Round-Optimized Schnorr Threshold Signatures (Komlo & Goldberg)
- Practical Schnorr Threshold Signatures without the Algebraic Group Model (Chu, Gerhart, Ruffing & Schröder)
- Requirements for a nested MuSig/FROST scheme Gist (Nick)
- SPRINT: High-Throughput Robust Distributed Schnorr Signatures (Benhamouda, Halevi, Krawczyk, Ma & Rabin)
Blockchain Commons Resources
Sponsors
This meeting was sponsored by the Human Rights Foundation.
