The ZF FROST Book
This is a guide-level reference for the ZF FROST library.
ZF FROST (Flexible Round-Optimised Schnorr Threshold signatures)
| Crate | Crates.io | Documentation | |
|---|---|---|---|
| Generic FROST implementation | [frost-core] |  |  |
| Ristretto255 ciphersuite | [frost-ristretto255] |  |  |
| Ed25519 ciphersuite | [frost-ed25519] |  |  |
| Ed448 ciphersuite | [frost-ed448] |  |  |
| P-256 ciphersuite | [frost-p256] |  |  |
| secp256k1 ciphersuite | [frost-secp256k1] |  |  |
| secp256k1 ciphersuite (Taproot) | [frost-secp256k1-tr] |  |  |
| Generic Re-randomized FROST | [frost-rerandomized] |  |  |
Rust implementations of 'RFC 9591: Two-Round Threshold Schnorr Signatures with FROST'.
Unlike signatures in a single-party setting, threshold signatures require cooperation among a threshold number of signers, each holding a share of a common private key. The security of threshold schemes in general assume that an adversary can corrupt strictly fewer than a threshold number of participants.
'Two-Round Threshold Schnorr Signatures with FROST' presents a variant of a Flexible Round-Optimized Schnorr Threshold (FROST) signature scheme originally defined in FROST20. FROST reduces network overhead during threshold signing operations while employing a novel technique to protect against forgery attacks applicable to prior Schnorr-based threshold signature constructions.
Besides FROST itself, this repository also provides:
- Trusted dealer key generation as specified in the appendix of 'Two-Round Threshold Schnorr Signatures with FROST';
- Distributed key generation as specified in the original paper FROST20;
- Repairable Threshold Scheme (RTS) from 'A Survey and Refinement of Repairable Threshold Schemes' which allows a participant to recover a lost share with the help of a threshold of other participants;
- Re-Randomized FROST.
- Refresh Share functionality using a Trusted Dealer or Distributed Key Generation. This can be used to refresh the shares of the participants or to remove a participant.
Getting Started
If you're not familiar with FROST, first read Understanding FROST.
Then read the Tutorial, and use the Rust docs as reference.
Status
The crates are considered stable and feature complete, though eventual API cleanups and additional functionality might be included in future releases.
This code base has been partially audited by NCC, see below for details. The APIs and types in the crates contained in this repository follow SemVer guarantees.
NCC Audit
NCC performed an audit of the v0.6.0 release (corresponding to commit 5fa17ed) of the following crates:
- frost-core
- frost-ed25519
- frost-ed448
- frost-p256
- frost-secp256k1
- frost-ristretto255
This includes key generation (both trusted dealer and DKG) and FROST signing. This does not include frost-secp256k1-tr and rerandomized FROST.
The parts of the
Ed448-Goldilocks
dependency that are used by frost-ed448 were also in scope, namely the
elliptic curve operations.
All issues identified in the audit were addressed by us and reviewed by NCC.
Usage
frost-core implements the base traits and types in a generic manner, to enable top-level
implementations for different ciphersuites / curves without having to implement all of FROST from
scratch. End-users should not use frost-core if they want to just sign and verify signatures for a specific ciphersuite; they
should use the crate specific to their ciphersuite/curve parameters that uses frost-core as a
dependency.