FROST: Flexible Round-Optimized Schnorr Threshold Signatures

Komlo, Chelsea; Goldberg, Ian

doi:10.1007/978-3-030-81652-0_2

Cited by 57 publications

(30 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Using these protocols, a certain set of parties may transfer their joint right to generate a signature to any subset among themselves equal to or a Correspondence should be addressed to Nikita Snetkov: nikita.snetkov@cyber.ee larger than a specific threshold. There are threshold variants of RSA [62,31,22], Schnorr [49,56,29,27], Ed-DSA [44,15,57,50] and ECDSA [52,35,23,1,67] signatures, which could be used in the blockchain infrastructure or as an authentication solution [21]. With several parties being required to participate in the generation of a signature, it is not unreasonable to somewhat relax the security requirements on any single party, related to the storage or handling of its private key material.…”

Section: Introductionmentioning

confidence: 99%

TOPCOAT: Towards Practical Two-Party Crystals-Dilithium

Snetkov,

Vakarjuk,

Laud

2024

Preprint

View full text Add to dashboard Cite

The development of threshold protocols based on lattice-signature schemes has been of increasing interest in the past several years. The main research focus was towards protocols constructed for various variants of Crystals-Dilithium, future NIST digital signature standard known as ML-DSA. In this work, we propose TOPCOAT, a two-party lattice-based signature algorithm that embodies Dilithium's compression techniques. The aforesaid result is achieved by introducing a new hinting mechanism that allows parties to collaboratively calculate $\textsf{HighBits}$. Our hinting mechanism allows public key compression similar to Dilithium. Additionally, we suggest an optimization technique to minimize number of restarts both parties need to produce a valid signature. We prove security of our scheme under MLWE and MSIS assumptions in ROM, and provide implementation of our proposed scheme. As additional contribution, we present vulnerabilities and inconsistencies found in Liu et al. work which aimed to construct distributed lattice-based signature protocol.

show abstract

Section: Introductionmentioning

confidence: 99%

TOPCOAT: Towards Practical Two-Party Crystals-Dilithium

Snetkov,

Vakarjuk,

Laud

2024

Preprint

View full text Add to dashboard Cite

show abstract

“…However, to the best of our knowledge, these schemes are all either for the honest majority setting (e.g. [GJKR96,SS01]), are proven secure via a reduction to the discrete log problem in the random-oracle model (e.g., [MOR01,AB21,BN06]), or use non-standard assumptions like the one-more discrete log assumption and/or idealized generic group model assumptions (e.g., [KG20,AB21,NRS21,CKM21]). When reducing to the discrete log problem directly, these proofs of security rely on variants of the forking lemma.…”

Section: Introductionmentioning

confidence: 99%

Simple Three-Round Multiparty Schnorr Signing with Full Simulatability

Lindell

2024

IACR CiC

View full text Add to dashboard Cite

In a multiparty signing protocol, also known as a threshold signature scheme, the private signing key is shared amongst a set of parties and only a quorum of those parties can generate a signature. Research on multiparty signing has been growing in popularity recently due to its application to cryptocurrencies. Most work has focused on reducing the number of rounds to two, and as a result: (a) are not fully simulatable in the sense of MPC real/ideal security definitions, and/or (b) are not secure under concurrent composition, and/or (c) utilize non-standard assumptions of different types in their proofs of security. In this paper, we describe a simple three-round multiparty protocol for Schnorr signatures that is secure for any number of corrupted parties; i.e., in the setting of a dishonest majority. The protocol is fully simulatable, secure under concurrent composition, and proven secure in the standard model or random-oracle model (depending on the instantiations of the commitment and zero-knowledge primitives). The protocol realizes an ideal Schnorr signing functionality with perfect security in the ideal commitment and zero-knowledge hybrid model (and thus the only assumptions needed are for realizing these functionalities). In our presentation, we do not assume that all parties begin with the message to be signed, the identities of the participating parties and a unique common session identifier, since this is often not the case in practice. Rather, the parties achieve consensus on these parameters as the protocol progresses.

show abstract

“…Usually, most of the algorithms that verify credentials through signatures are based on a single key [9,10], and the private key that the user has can be a single point of failure. To solve this problem, Multiparty Computation (MPC) based digital signature protocols that perform threshold signing using distributed key shares through secret sharing rather than a conventional digital signature algorithm with a single signing key are continuously being studied [11][12][13][14][15].…”

Section: Introductionmentioning

confidence: 99%

“…The multiparty distributed signature algorithm used in the proposed method is implemented using Komlo's Flexible Round-Optimized Schnorr Threshold (FROST) signature [15], a threshold signature algorithm based on the Schnorr signature [16]. In the key generation process of the FROST, n participants jointly participate in the generation, and one private key is divided into n pieces and stored separately.…”

Section: Introductionmentioning

confidence: 99%

A Study on the Interoperability Technology of Digital Identification Based on WACI Protocol with Multiparty Distributed Signature

Kim

Choi

et al. 2023

Sensors

View full text Add to dashboard Cite

In digital identity authentication, credentials are typically stored in a digital wallet and authenticated through a single key-based signature and public key verification. However, ensuring compatibility between systems and credentials can be challenging and the existing architecture can create a single point of failure, which can hinder system stability and prevent data interchange. To address this problem, we propose a multiparty distributed signature structure using FROST, a Schnorr signature-based threshold signature algorithm, applied to the WACI protocol framework for credential interaction. This approach eliminates a single point of failure and secures the signer’s anonymity. Additionally, by following standard interoperability protocol procedures, we can ensure interoperability during the exchange of digital wallets and credentials. This paper presents a method that combines a multiparty distributed signature algorithm and an interoperability protocol, and discusses the implementation results.

show abstract

FROST: Flexible Round-Optimized Schnorr Threshold Signatures

Cited by 57 publications

References 21 publications

TOPCOAT: Towards Practical Two-Party Crystals-Dilithium

TOPCOAT: Towards Practical Two-Party Crystals-Dilithium

Simple Three-Round Multiparty Schnorr Signing with Full Simulatability

A Study on the Interoperability Technology of Digital Identification Based on WACI Protocol with Multiparty Distributed Signature

Contact Info

Product

Resources

About