FROST: Improving upon the state of the art in threshold signature protocols.

FROST stands for Flexible Round-Optimized Schnorr Threshold, and it is a threshold signature scheme that essentially reduces network overhead during signing operations – while employing novel techniques to protect against forgery attacks applicable to similar schemes. 

Zcash Foundation FROST, Zebrad, Governance

About FROST:

FROST improves upon the state of the art in Schnorr threshold signature protocols, as it can be safely used without limiting concurrency of signing operations – yet allows for true threshold signing, as only a threshold number of participants are required for signing operations.

It can be used as either a two-round protocol where signers send and receive two messages in total, or optimized to a single-round signing protocol with a pre-processing stage. It achieves its efficiency improvements in part by allowing the protocol to abort in the presence of a misbehaving participant (who is then identified and excluded from future operations)—a reasonable model for practical deployment scenarios.

FROST benefits:

Transparent with the Zcash community

1.

Low round complexity in both the distributed key-generation and signing phases.

2.

Secure against dishonest majority. FROST is secure against adversaries which control up to t-1 signers in the signing phase.

3.

Concurrent security. This is in contrast to other threshold Schnorr signature protocols that have the same round complexity, but suffer from limited concurrency to protect against the attack of Drijvers etc.

4.

Simple cryptographic building blocks and assumptions. FROST is built upon the threshold Shamir secret sharing and Feldman verifiable secret sharing schemes and it relies only on the discrete logarithm assumption.

FROST benefits:

Transparent with the Zcash community

1.

Low round complexity in both the distributed key-generation and signing phases.

2.

Secure against dishonest majority. FROST is secure against adversaries which control up to t-1 signers in the signing phase.

3.

Concurrent security. This is in contrast to other threshold Schnorr signature protocols that have the same round complexity, but suffer from limited concurrency to protect against the attack of Drijvers.

4.

Simple cryptographic building blocks and assumptions since it is built upon the threshold Shamir secret sharing and Feldman verifiable secret sharing schemes and it relies only on the discrete logarithm assumption.

Transparent with the Zcash community

Researchers at the Zcash Foundation are collaborating on an IRTF informational draft for FROST with researchers at the University of Waterloo and several other organizations, and it’s on the path towards greater adoption within the Zcash ecosystem and beyond.