FROST Reference Implementation v1.0.0 Stable Release

The Zcash Foundation is excited to announce the first stable release of frost-core, a reference implementation of Two-Round Threshold Schnorr Signatures with FROST, written in Rust. This implementation has been fully audited and conforms to the latest and final version of the IRTF draft specification, which we are confident will soon make it as a final Informational RFC.

What FROST does and why it matters

FROST is a threshold multi-party signature scheme. It allows a key to be split into multiple shares (or even to be created in a distributed fashion without having to create an original unsplit key), and then enables creating a signature by aggregating multiple signature shares created by participants who hold key shares. The threshold means that a minimum number of participants are required to be able to create a signature.

In the context of Zcash, this means that FROST allows creating wallets where transactions have to be authorized by multiple participants. This has multiple benefits: it’s more robust, since if a participant loses a share, it is still possible for the other participants to sign transactions (and they can help to reissue the lost share); and in the same vein, if a participant gets hacked, the attacker won’t be able to solely sign transactions.

With the frost Rust library, the Zcash Foundation provides a reference implementation for the informational “Two-Round Schnorr Threshold Signatures with FROST” CFRG (Crypto Forum Research Group) Internet Draft. The CFRG is a general forum for discussing and reviewing uses of cryptographic mechanisms and is part of the Internet Research Task Force (IRTF), which in turn promotes research of importance to the evolution of the Internet protocols, applications, architecture and technology.

This release includes the frost-rerandomized variant, an adaptation to the FROST threshold signature scheme to make it unlinkable, which is a requirement for its use in the Zcash protocol. The adapted scheme generates signatures that are compatible with spend authorization signatures in the Zcash protocol, for the Sapling and Orchard network upgrades. This makes it possible for Zcash transactions to be authorized by more than one party, while preserving the privacy of individual signers.

Privacy-preserving threshold multi-party signatures for Zcash

Now that the frost reference implementation is production-ready we look forward to the acceptance of ZIP-312: “Shielded Multisignatures using FROST” and its implementation in the Zcash ecosystem. We will continue to work on a set of demos to show how some of the challenges for integration into wallets may be solved, as well as to provide a reference for implementers.

We would like to thank the following current and past ZF team members for their contributions to the FROST reference implementation; without their work and support, we would not have reached this milestone today:

Chelsea Komlo, Conrado P. L. Gouvêa, Natalie E., Deirdre Connolly, Pili Guerra, Alfredo Garcia, Teor, Marek Bielik, Henry de Valence, Jane Lusby, Josh Cincinnati, Antonie Hodge, Fungai Matambanadzo.

We would also like to thank all of the numerous external contributors to the spec and code base.

Thanks everyone involved. This is a huge moment for our community, for the world.

Great work to all those involved in strengthening the internet!
Its hard to stay focused on multi year project decisions.
Look forward to any demos.
Good leadership.

I want to add my personal thanks to everyone whose contributions - both past and ongoing - have helped FROST reach this stage.

This is a significant step, both in terms of progress towards making FROST signatures available for use with Zcash, and for the broader cause of financial privacy.

FROST is a significant cryptographic innovation in its own right (which is why it has attracted the CFRG’s interest), and has applications beyond cryptocurrency. For Zcash specifically, it brings a number of benefits.

While transparent ZEC can be protected using Bitcoin-style multisig, that doesn’t work for shielded ZEC, which means that shielded ZEC can’t address use cases that require that spend transactions are authorised by k of n keys (e.g. custody).

FROST for Zcash will fix that, thus fulfilling a key prerequisite for deprecating t-addresses.

It also has future uses in bridging ZEC to other chains, and, once ZSAs are implemented, bridging other assets to Zcash, as well as enabling k-of-n authorisation for asset issuance.

Beyond enabling specific use cases, FROST is more flexible than multisig. For example, a lost share can be recovered whereas, if a multisig keyholder loses their key, there’s no way to recover it (e.g. a 2-of-3 multisig would become a 2-of-2 multisig).

In short, FROST is cool.

Great work, Team Z!! Here’s a badass zebra unicorn called Frost, in your honor.

badass cypherpunk zebra wizard with a tattoo that says "FROST"1920×1920 370 KB

You’ll notice the difference between this one and the previous demo is the socket communication function which automates participant and coordinator communications, its nifty. Instead of copying and pasting all of the information, you pass it files. Also notice that the files tha the coordinator demo consumes are in binary format. You can use ‘xxd’ to convert between hex (the other required format) and binary

I’m happy to see how Zcash evolves