FROST Trusted Dealer

[jesseposner]

This PR implements a BIP-340 compatible threshold signature system based on FROST (Flexible Round-Optimized Schnorr Threshold Signatures) with a trusted dealer. This PR does not implement distributed key generation (DKG).

FROST Paper

This PR is based upon the FROST paper by Chelsea Komlo and Ian Goldberg and the draft RFC.

FROST Signing BIP

This PR implements the FROST signing BIP.

Prior Work

This PR is patterned on the APIs, and in many instances duplicates code, from the MuSig2 implementation due to their similarities in nonce generation and signing.

[real-or-random]

some initial comments, more tomorrow

[real-or-random]

nit: see bitcoin-core/secp256k1@aa3dd52 for consistent wording here

[real-or-random]

nit: s/new/fresh

By the way, we need to say similar things for musig sessions. Feel free to steal some sentences/phrasing ideas from bitcoin-core/secp256k1#1479.

[real-or-random]

s/again// ("reuse again" is saying the same thing twice)

[real-or-random]

"key shares" or "key generation" shares?

[real-or-random]

Hm, this may be slightly confusing because one could read it as "must have established a secure channel already", but that's of course not necessary. Maybe: "The trusted dealer must transmit shares over secure channels to participants."

[real-or-random]

s/share/shares

[real-or-random]

This function is just for nuking memory. Use _scalar_set_int(0) to set to zero. (We should probably have a dedicated function, but we don't have one currently.)

[real-or-random]

Should this be an x-only key? I'm not entirely sure, I would need to think about it.

[jesseposner]

The function conditionally inverts the shares to guarantee that the private key will match the x-only key.

Since the primary use-case will be on-chain signing, I think it's a useful simplification to take care of the negation during share generation and makes it easier to reason about in secp256k1_frost_pubkey_get and secp256k1_frost_pubkey_tweak.

[jesseposner]

Upon further reflection, I'm realizing it's not a useful simplification because in practice the output of the DKG will typically be further tweaked by a BIP32 tweak and then a taproot tweak, rather than used directly.

So I now think it would be better to have the DKG output a 33-byte key rather than an x-only key.

[jesseposner]

I've taken a stab at implementing this change, however, it requires tracking more state during signing.

Currently, nonce_process takes an xonly agg_pk and optionally a tweak_cache and returns a session. partial_sign takes a session and optionally a tweak_cache.

partial_sign only needs to handle negation logic if a tweak_cache is present because the DKG outputs an x-only key. If we change the DKG to output a 33-byte key, then nonce_process will need to take a 33-byte agg_pk and it will need to save a parity bit, serialized as a byte, in the session, so that partial_sign can handle the negation logic for when a tweak_cache is not present.

So while I don't think there's any reason for the protocol to output a 33-byte key, it seems useful to have the implementation do so, because it avoids a serialized byte in the session and I don't see a downside.

[jesseposner]

I need to compare this approach to the one taken in the signing BIP. The BIP proposes that the pubshares be saved to the session and the 33 byte public key is derived from the pubshares.

[jesseposner]

siv2r/bip-frost-signing#12

[jesseposner]

Perhaps the best reason to not output an xonly key from the DKG is that we don't want to encourage FROST DKG outputs being used directly on-chain without an unspendable script path because unlike MuSig, FROST does not randomize the group public key: https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#cite_note-23

[siv2r]

The signing BIP now uses signer public shares to initialize the tweak context (name to be updated) rather than the group public key. Hence, it no longer depends on whether the group pubkey (produced by keygen) is plain or x-only.

[siv2r]

An alternative design choice here is for trusted_gen to always output tweak_cache and optionally group_pk. This would be similar to how musig_pubkey_agg outputs keyagg_cache and optionally agg_pk.

[real-or-random]

In general, I think it would be nice to get this rebase this. (Should be mostly trivial.) Also, CMake support is missing because we have this now for all other -zkp modules (#288 ), but that's currently not essential right now.

[siv2r]

should we also ARG_CHECK for 1 <= ids[i] <= max_participant?

[jesseposner]

The function doesn't currently take max_participant as an input, and I'm not sure if it's worth requiring the extra state to perform this check.

[siv2r]

We can also add pubshare as an input argument. MuSig2 hashes the individual pubkey when generating the nonces, but we don't need to make pubshare a mandatory argument like MuSig2 does (more info).

How do we decide the args supplied to the hash function for generating a nonce? Should we throw in all available signer information into the hash function? For instance, can we include the participant identifier too?

[siv2r]

Related issue: siv2r/bip-frost-signing#15, which suggests using tweak_cache instead of agg_pk as the input arg.

[jesseposner]

%s/musig/frost

[siv2r]

nit: when we execute ./configure --enable-module-frost, the following error appears:

configure: error: MuSig module is experimental. Use --enable-experimental to allow.

instead of:

configure: error: FROST module is experimental. Use --enable-experimental to allow.

---

To resolve this issue, we should reposition the FROST module check before the MuSig experimental module check (lines 486-488).

[jesseposner]

Can you try again? I wasn't able to reproduce the issue.

When I run ./configure --enable-module-frost I get configure: error: FROST module is experimental. Use --enable-experimental to allow..

[siv2r]

nit: we can update this to refer to the completed RFC: https://datatracker.ietf.org/doc/rfc9591/

[jesseposner]

64e8beb

[siv2r]

I agree. We must XOR key32 and session_id (in const-time) before feeding them to SHA256

[jesseposner]

I need to bring these changes over from MuSig: 206017d

[jesseposner]

35f453d

[siv2r]

The libsecp repo defines these functions using different names:

• point_save_ext -> ge_to_bytes_ext
• point_load_ext -> ge_from_bytes_ext

[jesseposner]

9fcaf25

[siv2r]

Would it be more precise to say "will leak the agg_share" instead?

[jesseposner]

ae39a3a

[siv2r]

Suggested change

	enum { n_extra_in = 4 };
	enum { N_EXTRA_IN = 4 };

[siv2r]

I like this approach to hashing optional arguments—it’s cleaner than musig’s approach of using a helper function. However, there's a minor issue: the signing BIP encodes the message length as 8 bytes, but here we use 1 byte.

As stated in the BIP's noncegen:

• If the optional argument m is not present:
  • Let m_prefixed = bytes(1, 0)
• Else:
  • Let m_prefixed = bytes(1, 1) || bytes(8, len(m)) || m

[jesseposner]

I switched over to using the MuSig approach: 35f453d

[siv2r]

Just a note for the future: when writing tests, we should skip two noncegen test vectors—(1) empty message and (2) 38-byte message—since our nonce generation currently only supports 32-byte messages.

[siv2r]

The method of hashing arguments in noncegen deviates from the BIP. I believe it currently computes the nonces as

$$k_i = \mathrm{H}_{\text{no-tag}}(\mathrm{H}_{\text{FROST/nonce}}(\text{optional args}) \;||\; i - 1)$$

but the BIP computes them as

$$k_i = \mathrm{H}_{\text{FROST/nonce}}(\text{optional args} \;||\; i - 1)$$

[jesseposner]

35f453d

[siv2r]

This function follows the nonce aggregation technique from FROST1, but the BIP uses FROST3. We may need to split this function into two:

1. frost_nonce_agg - computes the aggnonce: $\widetilde{R_1} || \widetilde{R_2}$ where,
   $\widetilde{R_1} = \sum \limits_{i=1}^{t} R_{i, 1}$ and $\widetilde{R_2} = \sum \limits_{i=1}^{t} R_{i, 2}$
2. frost_nonce_process - computes the final nonce: $R_{\text{fin}} = \widetilde{R_1} + b \cdot \widetilde{R_2}$

Musig’s implementation follows the same technique

[siv2r]

I believe aggnonce_pt[i] is allowed to be infinity. The NonceAgg specification serializes them using cybtes_ext, so we can use ge_to_bytes_ext here.

Setting the nonce to the generator point only occurs with the final nonce.

[siv2r]

FROST3 computes the nonce coefficient as $b = \mathrm{H}_{\text{FROST/noncecoef}}(T || \widetilde{R_1} || \widetilde{R_2} || \widetilde{X} || msg)$, where $T$ is the set of signer ids.

[siv2r]

We can remove the ctx object from the function args.

[siv2r]

We can remove the ctx object from the function args

[siv2r]

The BIP sets the final nonce to the generator point if it’s infinity.

[siv2r]

I hadn’t considered this option when writing the BIP. So, right now, it computes $\lambda_{i, T}$ during Sign, not in GetSessionValue. Happy to update the BIP if this approach is better.

[siv2r]

In the documentation, we should probably mention that [1] the ids array must have unique elements, and [2] my_id must be included in ids. Otherwise, Lagrange interpolation will return incorrect values.

We could also implement ARG_CHECKs for these, but I'm not sure if it's worth the effort.

[siv2r]

In BIP, the DeriveInterpolatingValue function fails if both these conditions aren't met.

[siv2r]

Suggested change

	* pubkey: pointer to an x-only public key to verify with
	* agg_pk: pointer to an x-only public key to verify with

[siv2r]

Just pointing out that there's another possible approach here. In single signer Schnorr adaptor, we use extract_adaptor_point API instead of verify_adaptor—more details. Interestingly, MuSig doesn’t include either extract_adaptor_point or verify_adaptor (not sure why).

[siv2r]

We can use this comment here (taken from musig)

    /* Negate sk if secp256k1_fe_is_odd(&cache_i.pk.y)) XOR cache_i.parity_acc.
     * This corresponds to the line "Let d = g⋅gacc⋅d' mod n" in the
     * specification. */

[siv2r]

Suggested change

	ARG_CHECK(n_sigs > 0);
	ARG_CHECK(n_sigs > 1);

Should we do this instead?
The frost_nonce_process currently has ARG_CHECK(n_pubnonce > 1). We might want to use the same value in both functions, either 1 or 0.

[siv2r]

In musig's example, every function (except main) is static

[siv2r]

I think this comment was meant to be removed

[siv2r]

#278 (comment) applies here too.

[siv2r]

We can move this function call to the previous loop

[siv2r]

nit: same function is also used in MuSig's tests, so can we make it a helper function in src/testutil.h?

[siv2r]

I think we need to use pubnonce instead of aggnonce: #296

[theStack]

Only looked at share generation/verification so far, left a few comments below. Fwiw, I've added CMake support, feel free to pull it in: theStack@3b72fbd

[theStack]

As the chance of this happening is negligible, a VERIFY_CHECK might be sufficient? Then the function could be void, also simplifying the call-sites.

[theStack]

in secp256k1_frost_vss_gen: this value is never changed, so could remove ret and declare the function as void instead, also simplifying the call-site below.

[theStack]

naming nit: maybe call it secshare (both for the type and its instances and (de)ser function names in the API), in order to underline that this should be kept in secret? also since the public counterpart is called pubshare.

[theStack]

Considering that this blog post link has been removed in the MuSig2 PR in the secp256k1 main repo (see bitcoin-core/secp256k1#1479 (comment)), I guess the same should be done here.

[theStack]

maybe more a matter of taste, but the "skip for our own id" logic could be implemented before computing the _i_th indexhash by simply comparing the ids, e.g.

    if (secp256k1_memcmp_var(ids33[i], my_id33, 33) == 0) {
        return 0;
    }

(untested)