FROST: Flexible Round-Optimized Schnorr Threshold Signatures

Unlike signatures in a single-party setting, threshold signatures require cooperation among a threshold number of signers each holding a share of a common private key. Consequently, generating signatures in a threshold setting imposes overhead due to network rounds among signers, proving costly when secret shares are stored on network-limited devices or when coordination occurs over unreliable networks. In this work, we present FROST, a Flexible Round-Optimized Schnorr Threshold signature scheme that reduces network overhead during signing operations while employing a novel technique to protect against forgery attacks applicable to similar schemes in the literature. FROST improves upon the state of the art in Schnorr threshold signature protocols, as it can safely perform signing operations in a single round without limiting concurrency of signing operations, yet allows for true threshold signing, as only a threshold t out of n possible participants are required for signing operations, such that t ≤ n. FROST can be used as either a two-round protocol, or optimized to a single-round signing protocol with a pre-processing stage. FROST achieves its efficiency improvements in part by allowing the protocol to abort in the presence of a misbehaving participant (who is then identified and excluded from future operations)—a reasonable model for practical deployment scenarios. We present proofs of security demonstrating that FROST is secure against chosen-message attacks assuming the discrete logarithm problem is hard and the adversary controls fewer participants than the threshold.

[1]  Rosario Gennaro,et al.  Fast Multiparty Threshold ECDSA with Fast Trustless Setup , 2018, CCS.

[2]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[3]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[4]  Abdelrahaman Aly,et al.  Collaborative Authentication Using Threshold Cryptography , 2019, ETAA@ESORICS.

[5]  A. Narayanan,et al.  Securing Bitcoin wallets via a new DSA / ECDSA threshold signature scheme , 2015 .

[6]  W. Lueks,et al.  Security and Privacy via Cryptography Having your cake and eating it too , 2017 .

[7]  Mihir Bellare,et al.  Randomness Re-use in Multi-recipient Encryption Schemeas , 2003, Public Key Cryptography.

[8]  Douglas R. Stinson,et al.  Provably Secure Distributed Schnorr Signatures and a (t, n) Threshold Scheme for Implicit Certificates , 2001, ACISP.

[9]  Yuval Ishai,et al.  Share Conversion, Pseudorandom Secret-Sharing and Applications to Secure Computation , 2005, TCC.

[10]  Dan Boneh,et al.  Compact Multi-Signatures for Smaller Blockchains , 2018, IACR Cryptol. ePrint Arch..

[11]  Carmela Troncoso,et al.  PIR-Tor: Scalable Anonymous Communication Using Private Information Retrieval , 2011, USENIX Security Symposium.

[12]  Eike Kiltz,et al.  On the Security of Two-Round Multi-Signatures , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[13]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[14]  Hugo Krawczyk,et al.  Secure Distributed Key Generation for Discrete-Log Based Cryptosystems , 1999, Journal of Cryptology.

[15]  Ivan Damgård,et al.  Fast Threshold ECDSA with Honest Majority , 2020, IACR Cryptol. ePrint Arch..

[16]  Hugo Krawczyk,et al.  Secure Applications of Pedersen's Distributed Key Generation Protocol , 2003, CT-RSA.

[17]  Claus-Peter Schnorr,et al.  Security of Blind Discrete Log Signatures against Interactive Attacks , 2001, ICICS.

[18]  Jacques Stern,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2015, Journal of Cryptology.

[19]  Yannick Seurin,et al.  Simple Schnorr multi-signatures with applications to Bitcoin , 2019, Designs, Codes and Cryptography.

[20]  Rosario Gennaro,et al.  One Round Threshold ECDSA with Identifiable Abort , 2020, IACR Cryptol. ePrint Arch..

[21]  David A. Wagner,et al.  A Generalized Birthday Problem , 2002, CRYPTO.

[22]  Mihir Bellare,et al.  Multi-signatures in the plain public-Key model and a general forking lemma , 2006, CCS '06.

[23]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[24]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[25]  Tancrède Lepoint,et al.  On the (in)Security of ROS , 2022, Journal of Cryptology.

[26]  Torben P. Pedersen A Threshold Cryptosystem without a Trusted Party (Extended Abstract) , 1991, EUROCRYPT.

[27]  Josh Benaloh,et al.  Generalized Secret Sharing and Monotone Functions , 1990, CRYPTO.

[28]  Simon Josefsson,et al.  Edwards-Curve Digital Signature Algorithm (EdDSA) , 2017, RFC.