Skip to main content

Threshold Multisignature

The threshold signature is a subset of Multisignature. A unique public key represents each participant. However, each participant's private key is kept secret. The full secret is never disclosed. Each participant signs using their part of the secret share. Therefore, the original secret can never be reconstructed by an external party.

FROST

A message or transaction will get through on condition that at least tt out of nn signers approve it. For example, if nn is ten signers and threshold tt is set to 0.7, at least seven participants must approve a transaction to go through, while three signers can stay inactive, down, or malicious.

An example of a Threshold Multisignature is FROST or Flexible Round-Optimized Schnorr Threshold Signature used since version 2.0 of the XP.NETWORK NFT Bridge.

FROST can be used in two forms:

  1. A two-round Schnorr threshold signing protocol
  2. A single-round protocol with preprocessing is an optimized version of the above, implemented by the XP.NETWORK NFT Bridge.

Signing operations can be done concurrently (in parallel) without impacting security. The FROST protocol is considered secure if an adversary controls up to tโˆ’1t-1 signers.

Compared with other Schnorr based Threshold protocols, FROST looks fast (1 round of signing), is parallel secure, and requires at least tt signers. FROST is less finality robust than "Stinsol Strobl", should nโˆ’t+1n-t+1 signers misbehave. It means that if malicious adversaries control enough signers that the benevolent ones can never reach the threshold, consensus will never be reached, and the transactions will not get through. For example, in a pool of ten signers with a threshold of 7 out of 10, if the adversaries control at least four signers, the threshold of 7 cannot be reached 10โˆ’4=610-4=6.

RoundsRobustReq.SignersParallel Secure
Stinsol Strobl4YesttYes
Gennaro et al.1+preprocessingNonnNo
FROST1+preprocessingNottYes

Pic.1 Schnorr Comparative Table

Schnorr quick recap

StepSignerExchangeVerifierExplanation
1(x,Y)โ†KeyGen()(x,Y)\leftarrow KeyGen()SK1 = Private (xx) &
PK = public (YY2) keys generation using a DKG Protocol3
2โ†(m,ย Y)\xleftarrow[]{\text(m,~ Y)}The verifier wants a message mm to be signed
3kโ†Zqk \leftarrow Z_qA secret unique nonce is generated
4R=gkโˆˆG\mathbb{R} = g^k \in \mathbb{G}A commitment to the nonce is generated
5c=H(R,Y,m)c = H(\mathbb{R}, Y, m)A challenge is computed by hashing the commitment, PK, and the message
6z=k+cร—xz = k + c \times xResponse is the nonce plus the product of the challenge and the SK
7โ†’(m,ฯƒ=(R,z))\xrightarrow[]{\text(m,\sigma = (\mathbb{R}, z))}The signed message as the commitment & the response are returned to the Verifier
8c=H(R,Y,m)c = H(\mathbb{R}, Y, m)The verifier calculates the challenge
9Rโ€ฒ=gzร—Yโˆ’c\mathbb{R}' = g^z \times Y^{-c}The verifier derives the expected commitment
10Rโ€ฒ=?R\mathbb{R}' \stackrel{?}{=} \mathbb{R}If the derived commitment matches the one from the signature, the signature is valid

Pic.2 Schnorr Multisignature

FROST Preprocessing

StepSigner(i)ExchangeRound Leader4Explanation
1((dij,eij),ย ...)โ†Zqโˆ—ร—Zqโˆ—((d_{ij}, e_{ij}), ~ ...) \leftarrow \mathbb{Z}^*_q \times \mathbb{Z}^*_qEvery signer generates a tuple of 2 nonces.
2(Dij,Eij)=(gdij,geij)(D_{ij}, E_{ij}) = (g^{d_{ij}}, g^{e_{ij}})Then they generate 2 commitments to the above nonces.
3Store

((dij,Dij),(eij,Eij)),ย ...((d_{ij}, D_{ij}),(e_{ij}, E_{ij})), ~ ...
They store those values locally.
4โ†’((Dij,Eij),ย ...)\xrightarrow{\text((D_{ij}, E_{ij}), ~ ...)}If it is the 1st round, they publish the 1st commitments' round.
5Store

((Dij,Eij),ย ...)((D_{ij}, E_{ij}), ~ ...)
The round leader stores the commitments locally.

FROST signature built over Schnorr

StepSigner(i)ExchangeRound LeaderExplanation
1B=((1,D1,E1),...,(t,Dt,Et))B = ((1,D_1,E_1),...,(t,D_t,E_t))The round leader has collected enough signer commitments.
2โ†(m,B)\xleftarrow{(m,B)}The leader requests a message signature from the signers.
3ฯโ„“=H1(โ„“,m,B),โ„“,โˆˆS\rho_{\ell} = H_1(\ell,m,B), \\ \ell, \in S5The signers compute the challenge
4R=โˆโ„“โˆˆSDโ„“ร—(Eโ„“)ฯโ„“\mathbb{R} = \prod_{\ell \in S}D_{\ell} \times (E_{\ell})^{\rho_{\ell}}Signers generate the commitment as a product of the binding factors
5c=H2(R,Y,m)c = H_2(\mathbb{R},Y,m)Every signer generates a challenge
66zi=di+(eiร—ฯi)+ฮปiร—siร—cz_i = d_i + (e_i \times \rho_i) + \lambda_i \times s_i \times cThen they generate the response as a combination of the 2 nonces & the binding factor, secret share & the challenge
7โ†’Zi\xrightarrow{Z_i}Each signer sends the response to the round leader
8ฯƒ=(R,Z=โˆ‘Zi)\sigma = (\mathbb{R},Z = \sum Z_i)7The round leader submits a signed transaction to the blockchain

  1. The abbreviation SKSK is often used to denote the private or Secret Key. While PKPK is used to denote the Public Key.โ†ฉ
  2. YY is a joint public key, while each signer holds a secret share sis_i and a public share YiY_i. For example, private and public keys of the signers, generated with the elliptical curve cryptography, can be used as sis_i and YiY_i.โ†ฉ
  3. A DGK Protocol is an nโˆ’wisen-wise SSS (Shamir Secret Sharing) protocol, where each participant is a dealer.โ†ฉ
  4. Round Leaders are algorithmically elected in every round. It ensures leader rotations, eliminating a permanent signature aggregator in XP.NETWORK bridge by contrast with some other FROST implementations.โ†ฉ
  5. The signature format & verification is identical to a single party Schnorrโ†ฉ
  6. This step di+(eiร—ฯi)d_i + (e_i \times \rho_i) cannot be inverted by an adversary who sees the response but does not know (di,ei)(d_i, e_i)โ†ฉ
  7. The binding factor ฯ\rho binds the shares to index โ„“\ell, the message mm and the commitments tuples BB. This is the reason why FROST is secure against attacks.โ†ฉ