Go to file
Conrado Gouvea 60cc5b9124
docs: update demo section per new ciphersuite selection (#699)
2024-07-10 11:33:54 +00:00
.github
book
frost-core
frost-ed448
frost-ed25519
frost-p256
frost-rerandomized
frost-ristretto255
frost-secp256k1
gencode
.gitignore
.mergify.yml
Cargo.toml
LICENCE
LICENCE.MIT
LICENSE.Apache-2.0
README.md
codecov.yml
performance.md
plot.py
times-by-ciphersuite-and-function-10.png
times-by-ciphersuite-and-function-100.png
times-by-ciphersuite-and-function-1000.png
times-by-size-and-function-ristretto255-aggregated.png
times-by-size-and-function-ristretto255-all-shares.png
verify-aggregated-vs-all-shares-10.png
verify-aggregated-vs-all-shares-100.png
verify-aggregated-vs-all-shares-1000.png
zcash-frost-audit-report-20210323.pdf

README.md

ZF FROST (Flexible Round-Optimised Schnorr Threshold signatures)

CI

Crate Crates.io Documentation
Generic FROST implementation [frost-core] crates.io Documentation
Ristretto255 ciphersuite [frost-ristretto255] crates.io Documentation
Ed25519 ciphersuite [frost-ed25519] crates.io Documentation
Ed448 ciphersuite [frost-ed448] crates.io Documentation
P-256 ciphersuite [frost-p256] crates.io Documentation
secp256k1 ciphersuite [frost-secp256k1] crates.io Documentation
Generic Re-randomized FROST [frost-rerandomized] crates.io Documentation

Rust implementations of 'Two-Round Threshold Schnorr Signatures with FROST'.

Unlike signatures in a single-party setting, threshold signatures require cooperation among a threshold number of signers, each holding a share of a common private key. The security of threshold schemes in general assume that an adversary can corrupt strictly fewer than a threshold number of participants.

'Two-Round Threshold Schnorr Signatures with FROST' presents a variant of a Flexible Round-Optimized Schnorr Threshold (FROST) signature scheme originally defined in FROST20. FROST reduces network overhead during threshold signing operations while employing a novel technique to protect against forgery attacks applicable to prior Schnorr-based threshold signature constructions.

Besides FROST itself, this repository also provides:

Getting Started

Refer to the ZF FROST book.

Status ⚠

The FROST specification is not yet finalized, though no significant changes are expected at this point. This code base has been partially audited by NCC, see below for details. The APIs and types in the crates contained in this repository follow SemVer guarantees.

NCC Audit

NCC performed an audit of the v0.6.0 release (corresponding to commit 5fa17ed) of the following crates:

  • frost-core
  • frost-ed25519
  • frost-ed448
  • frost-p256
  • frost-secp256k1
  • frost-ristretto255

This includes key generation (both trusted dealer and DKG) and FROST signing. This does not include rerandomized FROST.

The parts of the Ed448-Goldilocks dependency that are used by frost-ed448 were also in scope, namely the elliptic curve operations.

All issues identified in the audit were addressed by us and reviewed by NCC.

Usage

frost-core implements the base traits and types in a generic manner, to enable top-level implementations for different ciphersuites / curves without having to implement all of FROST from scratch. End-users should not use frost-core if they want to sign and verify signatures, they should use the crate specific to their ciphersuite/curve parameters that uses frost-core as a dependency.