Skip to content

Commit

Permalink
SOT-176: Add FROST
Browse files Browse the repository at this point in the history
  • Loading branch information
@VanhGer
VanhGer committed Aug 23, 2024
1 parent fdab86b commit 4ed44f7
Show file tree
Hide file tree
Showing 3 changed files with 186 additions and 6 deletions.
149 changes: 149 additions & 0 deletions terms/frost.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,149 @@
---
comments: true
---

# FROST

FROST is a 2-round protocol in which the signer sends and receives a total of two messages. Alternatively, it can be optimized into a
non-broadcast, single-round signing protocol with a pre-processing phase.

## Schnorr Signature

Read this section [here](./schnorr_signature.md).

Signatures generated by the FROST signature operation are indistinguishable from Schnorr signatures and can therefore be verified
using the standard Schnorr verification procedure.

## Additive Secret Sharing

The additive secret sharing scheme allows $\alpha$ participants to jointly compute a shared secret $s$, with each participant $P_i$
contributing a value $s_i$. The resulting secret key is the sum of all contributed values: $s = \sum s_i$. Consequently, additive
secret sharing can be performed non-interactively.

$\dfrac{s_i}{\lambda_i}$ represents the Shamir's secret sharing of the same $s$, where $\lambda_i$ are the
[Lagrange](./lagrange_interpolation.md) coefficients (Basis Polynomials). In FROST, Your explanation is generally clear, but here are
some adjustments for improved clarity and accuracy:

The additive secret sharing scheme allows $\alpha$ participants to jointly compute a shared secret $s$, with each participant $P_i$
contributing a value $s_i$. The resulting secret key is the sum of all contributed values: $s = \sum s_i$. Consequently, additive
secret sharing can be performed non-interactively.

$\frac{s_i}{\lambda_i}$ represents Shamir's secret sharing of the same secret $s$, where $\lambda_i$ are the
[Lagrange](./lagrange_interpolation.md) coefficients (Basis Polynomials). In FROST, participants use this technique during signing
operations to non-interactively generate a nonce that is Shamir secret shared among all signing participants.

## FROST

FROST: A flexible round-optimized Schnorr threshold signature scheme.

### Preliminaries

Let $\alpha$ be the number of participants performing a signing operation with their identifiers
$S = \lbrace p_1, \dots, p_\alpha \rbrace$. Let $\lambda_i$ denote the Lagrange coefficient corresponding to $p_i$.

### Features

Signature Aggregator Role: FROST using a semi-trusted signature aggregator role, denoted as $SA$. This role can be performed by anyone
inside or outside the protocol, provided they know the participants' public-key shares $Y_i$. The $SA$ is trusted to report
misbehaving participants and publish the group signature.

### Key Generation

**Round 1:**

- $P_i$ draws $t$ random values $(a _ {i0},\dots, a _ {i(t-1)}) \in \mathbb{Z}_q$ and then generates $f_i(x) = \sum(a _ {ij}x ^ j)$
- $P_i$ computes a proof of knowledge of $a_{i0}$ via [Schnorr signature](./schnorr_signature.md):
- Random $k \in \mathbb{Z}_q$
- $R_i = g^k$
- $c_i = H(i, CTX, g^{a_{i0}}, R_i)$ where CTX is the context string to prevent replay attacks.
- $\mu_i = k + a_{i0} * c_i$
- $\sigma_i = (c_i, \mu_i)$
- $P_i$ broadcasts the public commitment $C_i = {A_{i0},...,A_{i(t-1)}}$ where $A_{ij} = g^{a_{ij}}$ and $\sigma_i$ to all other
participants
- $P_i$ verifies $\sigma_p = (c_p, \mu_p)$ by checking: $c_p \stackrel{?}{=} H(p, CTX, A_{p0}, g^{\mu_p} * A_{p0}^{-c_p})$

**Round2 :**

- Each $P_i$ sends a secret share $(p, f_i(p))$ to $P_p$ , and deletes $f_i$.
- Each $P_i$ verifies their received shares : $g^{f_p(i)} \stackrel{?}{=} \prod_{k=0}^{t-1} A_{p_k}^{i^k \mod q}$
- Each $P_i$ computes their long-lived private signing share $s_i = \sum_{p=1}^n(f_p(i))$ for $p = 1,\dots, n$, stores $s_i$ securely
and deletes each $f_p(i)$.
- Each $P_i$ computes their public verification share $Y_i = g^{s_i}$ and the group's public key $Y = \prod(A_{j0})$ for
$j = 1,\dots,n$. Any $P_i$ can compute the public verification share $Y_i = \prod_{j=1}^{n} \prod_{k=0}^{t-1}A_{jk}^{i^k \mod q}$

### Signing Protocol

To avoid the [Drijvers attack](https://eprint.iacr.org/2018/417), FROST binds each participant's response to a specific message, as
well as the set of participants and their commitments used for that particular signing operation.

The signing protocol consists of two phases:

#### Pre-processing

Participants generate and publish $\pi$ commitments at a time ($\pi$ is the number of random nonces that are generated and their
corresponding commitments).
Each $P_i$ generates a list of *single-use* private nonce pairs and their corresponding commitment shares:
$<(d_{ij}, D_{ij}=g^{d_{ij}}), (e_{i,j}, E_{i, j} = g^{e_{ij}})>_{j=1}^\pi$
where $j$ is the counter that identifies the next nonce/commitment share pair

At the end of this phases, each $P_i$ publishes $(i, L_i)$ where $L_i = <(D_{ij}, E_{ij})>_{j=1}^{\pi}$

#### Single-round Signing

$Sign(m) \to (m, \sigma)$

Let:

- $SA$ : Signature aggregator (one of the signing participants)
- $S$: A set of $\alpha$ selected participants
- $Y$: The group public key
- $B = <(i, D_i, E_i)>_{i \in S}$: Ordered list corresponding to each participant $P_i$
- $H_1, H_2$: Hash functions

Workflows:

- $SA$ fetches the next available commitment for each $P_i$ and constructs $B$
- $SA$ sends $P_i$ the tuple $(m, B)$
- Each $P_i$ computes:
- $\rho_l = H_1(l, m, B)_{l \in S}$
- Group commitment: $R = \prod_{l \in S}D_l \cdot (E_l)^{\rho_l}$
- Challenge: $c = H_2(R, Y, m)$
- Each $P_i$ computes:
- $z_i = d_i + (e_i \cdot \rho_i) + \lambda_i \cdot s_i \cdot c$
- Each $P_i$ returns $z_i$ to $SA$
- $SA$ performs:
- $\rho_i = H_1(i, m, S)$ and $R_i = D_{ij} \cdot (E_{ij})^{\rho_i}$ for $i \in S$
- $R = \prod_{i∈S}R_i$ and $c = H_2(R, Y, m)$
- Check $P_i$'s response: $g^{z_i} \stackrel{?}{=} R_i \cdot Y_i^{c \cdot \lambda_i}$
- Group response: $z = \sum z_i$
- Publish: $\sigma = (R, z)$ along with $m$.

### Security

#### Correctness

Signatures in FROST are constructed from two polynomials:

- $F_1(x)$: Defines the secret sharing of the private signing key $s$
- $F_2(x)$: Defines the secret sharing of nonce $k$.
We see that $F_2(x)$ has interpolating values $(i, \dfrac{d_i + e_i \cdot \rho_i}{\lambda_i})$.
Let $F_3(x) = F_2(x) + c \cdot F_1(x)$ where $c = H_2(R, Y, m)$
=> $z_i = d_i + (e_i\cdot \rho_i) + \lambda_i \cdot s_i \cdot c = \lambda_i(F_2(i) + c \cdot F_1(i)) = \lambda_i F_3(i)$.

So, $z = \sum_{i \in S}z_i$ is simply the Lagrange interpolation of $F_3(0) = (\sum_{i\in S} di_ + e_{ij} · \rho_i) + c · s$. Because
$R= g^{\sum_{i\in S} di_ + e_{ij} · \rho_i}$, $(R, z)$ is a correct Schnorr signature on $m$.

#### Security Against Chosen Message Attacks

Unlike many previous Schnorr threshold schemes, FROST remains secure against known forgery attacks without limiting the concurrency of
signature operations.

#### Aborting on Misbehavior

FROST requires participants to abort once they have detected misbehavior, with the benefit of fewer communication rounds in an honest
setting.

## References

[FROST paper - Chelsea Komlo, Ian Goldberg](https://eprint.iacr.org/2020/852.pdf)
[Schnorr threshold signatures: FROST - chainx-org](https://github.com/chainx-org/chainx-technical-archive/tree/main/LiuBinXiao/Taproot)
27 changes: 27 additions & 0 deletions terms/schnorr_signature.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
comments: true
---
# Schnorr Signature

The Schnorr Signature is a typical type of [threshold signature](https://scryptplatform.medium.com/threshold-signatures-a0eff03dc29c).
The Schnorr signature involves two phases: generation and verification.

Let $G$ be a group of prime order $q$ with $g$ as a generator of $G$. Let $H$ be a hash function, and let the number $s$ in the group
$G$ be $g^s$.

**Generation**:

- Sample a random nonce $k \in \mathbb{Z}_q$ and compute the commitment: $R = g^k \in G$
- Compute the challenge $c = H(R, Y, m)$ (where $Y$ is the group public key, $m$ is the message and $H$ is the hash function)
- Using the secret key $s$, compute the response $z = k + s \cdot c \in \mathbb{Z}_q$
- Define the signature over $m$ as $\sigma = (R, z)$

**Verification**:

- Parse $\sigma = (R, z)$ and derive $c = H(R, Y, m)$
- Compute $R' = g^z \cdot Y^{-c}$
- Verify that: $R' \stackrel{?}{=} R$

## References

[FROST paper](https://eprint.iacr.org/2020/852.pdf).
16 changes: 10 additions & 6 deletions terms/verifiable_secret_sharing.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,18 +11,18 @@ Read the definition of DKG [here](./distributed_key_generation.md).

### Definition

A $(t, n)$ VSS includes two phases: *Share* and *Reconstruct* as follow:
A $(k, n)$ VSS includes two phases: *Sharing* and *Reconstruction* as follows:

**Share:**

- Dealer $D$ has a secret $s$. There are $n$ parties $P_1,\dots,P_n$.
- After many interacting rounds between parties, each party holds a share $s_i$.
- After several rounds of interaction among the parties, each party holds a share $s_i$.

**Reconstruct**:

- Each party $P_i$ publishes its share $s_i$ from the sharing phase for reconstruction $s$.

If $D$ is dishonest, then at the end of **sharing** phase, there exist a value $s^*$ such that all parties agree on it at the end of
If $D$ is dishonest, then at the end of **sharing** phase, there exists a value $s^*$ such that all parties agree on it at the end of
**reconstruct** phase.

## Pedersen Construction
Expand All @@ -35,10 +35,10 @@ Let $p, q$ be large primes such that $q$ divides $p-1$ and let $G_q$ be the uniq
and $h$ be elements of $G_q$ where $g$ is the generator of $G_q$ and no one knows the value $d$ such that $h = g^d$. These elements
can be chosen using a coin-flipping protocol.

The committer commits to its secret $s \in \mathbb{Z}_q$ by choosing a random $t \in \mathbb{Z_q}$, then computing and broadcasting
The committer commits to its secret $s \in \mathbb{Z}_q$ by choosing a random $t \in \mathbb{Z}_q$, then computing and broadcasting
$E(s, t) = g^sh^t$. Such a commitment can later be opened by revealing $s$ and $t$.

If committer knows the $d = log_g(h)$, he can commit to a value $s$ and then can falsely claim that he committed $s'$ because:
If the committer knows $d = log_g(h)$, he can commit to a value $s$ and then can falsely claim that he committed to $s'$ because:
$$g^sh^t = g^{s'}h^{t'} \iff g^{s - s'} = h^{t'-t} \iff log_gh = \dfrac{s- s'}{t'-t}$$

### Verification of Shares
Expand All @@ -48,7 +48,7 @@ Assume that a dealer $D$ has a secret $s$ and wants to create a $(k,n)$ VSS prot
Here is the scheme:

- $D$ publishes a commitment to $s$: $E_0 = E(s, t)$ where $E(s, t) = g^sh^t$. for a random $t$
- $D$ chooses $F \in \mathbb{Z}_q[x]$ of degree at most $k-1$: $F(x) = s + F_1x + \dots + F_{k-1}x^{k-1}$
- $D$ chooses $F \in \mathbb{Z} _ q[x]$ of degree at most $k-1$: $F(x) = s + F _ 1x + \dots + F _ {k-1}x ^ {k-1}$
- $D$ computes $s_i = F(i)$ for $i = 1,\dots,n$
- $D$ chooses $G_1,\dots, G_{k-1}$ at random and broadcasts the commitments $E_i = E(F_i, G_i)$
- Let $G(x) = t + G_1x + \dots G_{k-1}x^{k-1}$
Expand All @@ -70,6 +70,10 @@ Here is the scheme:
- $S$ can compute $s' = \sum_{i \in S}s_i a_i$ and can also find $t' = \sum_{i \in S}t_i a_i$ where
$a_i = \prod_{j \in S, j \ne i}\dfrac{i}{i-j}$

## FROST

Read the section of FROST [here](./frost.md).

## References

[Orochi Network's cookbook](https://docs.orochi.network/dkg/verifiable-secret-sharing/pedersen-construction.html)
Expand Down

0 comments on commit 4ed44f7

Please sign in to comment.