Threshold Multisignature
The threshold signature is a subset of Multisignature. A unique public key represents each participant. However, each participant's private key is kept secret. The full secret is never disclosed. Each participant signs using their part of the secret share. Therefore, the original secret can never be reconstructed by an external party.
FROST
A message or transaction will get through on condition that at least out of signers approve it. For example, if is ten signers and threshold is set to 0.7, at least seven participants must approve a transaction to go through, while three signers can stay inactive, down, or malicious.
An example of a Threshold Multisignature is FROST or Flexible Round-Optimized Schnorr Threshold Signature used since version 2.0 of the XP.NETWORK NFT Bridge.
FROST can be used in two forms:
- A two-round Schnorr threshold signing protocol
- A single-round protocol with preprocessing is an optimized version of the above, implemented by the XP.NETWORK NFT Bridge.
Signing operations can be done concurrently (in parallel) without impacting security. The FROST protocol is considered secure if an adversary controls up to signers.
Compared with other Schnorr based Threshold protocols, FROST looks fast (1 round of signing), is parallel secure, and requires at least signers. FROST is less finality robust than "Stinsol Strobl", should signers misbehave. It means that if malicious adversaries control enough signers that the benevolent ones can never reach the threshold, consensus will never be reached, and the transactions will not get through. For example, in a pool of ten signers with a threshold of 7 out of 10, if the adversaries control at least four signers, the threshold of 7 cannot be reached .
Rounds | Robust | Req.Signers | Parallel Secure | |
---|---|---|---|---|
Stinsol Strobl | 4 | Yes | Yes | |
Gennaro et al. | 1+preprocessing | No | No | |
FROST | 1+preprocessing | No | Yes |
Pic.1 Schnorr Comparative Table
Schnorr quick recap
Step | Signer | Exchange | Verifier | Explanation |
---|---|---|---|---|
1 | SK1 = Private () & PK = public (2) keys generation using a DKG Protocol3 | |||
2 | The verifier wants a message to be signed | |||
3 | A secret unique nonce is generated | |||
4 | A commitment to the nonce is generated | |||
5 | A challenge is computed by hashing the commitment, PK, and the message | |||
6 | Response is the nonce plus the product of the challenge and the SK | |||
7 | The signed message as the commitment & the response are returned to the Verifier | |||
8 | The verifier calculates the challenge | |||
9 | The verifier derives the expected commitment | |||
10 | If the derived commitment matches the one from the signature, the signature is valid |
Pic.2 Schnorr Multisignature
FROST Preprocessing
Step | Signer(i) | Exchange | Round Leader4 | Explanation |
---|---|---|---|---|
1 | Every signer generates a tuple of 2 nonces. | |||
2 | Then they generate 2 commitments to the above nonces. | |||
3 | Store | They store those values locally. | ||
4 | If it is the 1st round, they publish the 1st commitments' round. | |||
5 | Store | The round leader stores the commitments locally. |
FROST signature built over Schnorr
Step | Signer(i) | Exchange | Round Leader | Explanation |
---|---|---|---|---|
1 | The round leader has collected enough signer commitments. | |||
2 | The leader requests a message signature from the signers. | |||
3 | 5 | The signers compute the challenge | ||
4 | Signers generate the commitment as a product of the binding factors | |||
5 | Every signer generates a challenge | |||
66 | Then they generate the response as a combination of the 2 nonces & the binding factor, secret share & the challenge | |||
7 | Each signer sends the response to the round leader | |||
8 | 7 | The round leader submits a signed transaction to the blockchain |
- The abbreviation is often used to denote the private or Secret Key. While is used to denote the Public Key.โฉ
- is a joint public key, while each signer holds a secret share and a public share . For example, private and public keys of the signers, generated with the elliptical curve cryptography, can be used as and .โฉ
- A DGK Protocol is an SSS (Shamir Secret Sharing) protocol, where each participant is a dealer.โฉ
- Round Leaders are algorithmically elected in every round. It ensures leader rotations, eliminating a permanent signature aggregator in XP.NETWORK bridge by contrast with some other FROST implementations.โฉ
- The signature format & verification is identical to a single party Schnorrโฉ
- This step cannot be inverted by an adversary who sees the response but does not know โฉ
- The binding factor binds the shares to index , the message and the commitments tuples . This is the reason why FROST is secure against attacks.โฉ