serai/docs/cryptography/FROST.md

# FROST

Serai implements [FROST](https://eprint.iacr.org/2020/852), as specified in
[draft-irtf-cfrg-frost-11](https://datatracker.ietf.org/doc/draft-irtf-cfrg-frost/).

### Modularity

In order to support other algorithms which decompose to Schnorr, our FROST
implementation is generic, able to run any algorithm satisfying its `Algorithm`
trait. With these algorithms, there's frequently a requirement for further
transcripting than what FROST expects. Accordingly, the transcript format is
also modular so formats which aren't naive like the IETF's can be used.

### Extensions

In order to support algorithms which require their nonces be represented across
multiple generators, FROST supports providing a nonce's commitments across
multiple generators. In order to ensure their correctness, an extended
[CP93's Discrete Log Equality Proof](https://chaum.com/wp-content/uploads/2021/12/Wallet_Databases.pdf)
is used. The extension is simply to transcript `n` generators, instead of just
two, enabling proving for all of them at once.

Since FROST nonces are binomial, every nonce would require two DLEq proofs. To
make this more efficient, we hash their commitments to obtain a binding factor,
before doing a single DLEq proof for `d + be`, similar to how FROST calculates
its nonces (as well as MuSig's key aggregation).

As some algorithms require multiple nonces, effectively including multiple
Schnorr signatures within one signature, the library also supports providing
multiple nonces. The second component of a FROST nonce is intended to be
multiplied by a per-participant binding factor to ensure the security of FROST.
When additional nonces are used, this is actually a per-nonce per-participant
binding factor.

When multiple nonces are used, with multiple generators, we use a single DLEq
proof for all nonces, merging their challenges. This provides a proof of `1 + n`
elements instead of `2n`.

Finally, to support additive offset signing schemes (accounts, stealth
addresses, randomization), it's possible to specify a scalar offset for keys.
The public key signed for is also offset by this value. During the signing
process, the offset is explicitly transcripted. Then, the offset is added to the
participant with the lowest ID.

# Caching

modular-frost supports caching a preprocess. This is done by having all
preprocesses use a seeded RNG. Accordingly, the entire preprocess can be derived
from the RNG seed, making the cache just the seed.

Reusing preprocesses would enable a third-party to recover your private key
share. Accordingly, you MUST not reuse preprocesses. Third-party knowledge of
your preprocess would also enable their recovery of your private key share.
Accordingly, you MUST treat cached preprocesses with the same security as your
private key share.

Since a reused seed will lead to a reused preprocess, seeded RNGs are generally
frowned upon when doing multisignature operations. This isn't an issue as each
new preprocess obtains a fresh seed from the specified RNG. Assuming the
provided RNG isn't generating the same seed multiple times, the only way for
this seeded RNG to fail is if a preprocess is loaded multiple times, which was
already a failure point.
Document extensions to FROST Also makes misc other doc corrections. 2022-12-08 01:23:25 +00:00			`# FROST`

			`Serai implements [FROST](https://eprint.iacr.org/2020/852), as specified in`
			`[draft-irtf-cfrg-frost-11](https://datatracker.ietf.org/doc/draft-irtf-cfrg-frost/).`

			`### Modularity`

			`In order to support other algorithms which decompose to Schnorr, our FROST`
			implementation is generic, able to run any algorithm satisfying its `Algorithm`
			`trait. With these algorithms, there's frequently a requirement for further`
			`transcripting than what FROST expects. Accordingly, the transcript format is`
			`also modular so formats which aren't naive like the IETF's can be used.`

			`### Extensions`

			`In order to support algorithms which require their nonces be represented across`
			`multiple generators, FROST supports providing a nonce's commitments across`
Correct FROST DLEq documentation 2022-12-08 01:32:08 +00:00			`multiple generators. In order to ensure their correctness, an extended`
Document extensions to FROST Also makes misc other doc corrections. 2022-12-08 01:23:25 +00:00			`[CP93's Discrete Log Equality Proof](https://chaum.com/wp-content/uploads/2021/12/Wallet_Databases.pdf)`
Correct FROST DLEq documentation 2022-12-08 01:32:08 +00:00			is used. The extension is simply to transcript `n` generators, instead of just
Offer a multi-DLEq proof which simply merges challenges for n underlying proofs This converts proofs from 2n elements to 1+n. Moves FROST over to it. Additionally, for FROST's binomial nonces, provides a single DLEq proof (2, not 1+2 elements) by proving the discrete log equality of their aggregate (with an appropriate binding factor). This may be split back up depending on later commentary... 2023-01-01 14:16:09 +00:00			`two, enabling proving for all of them at once.`

			`Since FROST nonces are binomial, every nonce would require two DLEq proofs. To`
			`make this more efficient, we hash their commitments to obtain a binding factor,`
			before doing a single DLEq proof for `d + be`, similar to how FROST calculates
			`its nonces (as well as MuSig's key aggregation).`
Document extensions to FROST Also makes misc other doc corrections. 2022-12-08 01:23:25 +00:00
			`As some algorithms require multiple nonces, effectively including multiple`
			`Schnorr signatures within one signature, the library also supports providing`
			`multiple nonces. The second component of a FROST nonce is intended to be`
			`multiplied by a per-participant binding factor to ensure the security of FROST.`
			`When additional nonces are used, this is actually a per-nonce per-participant`
			`binding factor.`

Offer a multi-DLEq proof which simply merges challenges for n underlying proofs This converts proofs from 2n elements to 1+n. Moves FROST over to it. Additionally, for FROST's binomial nonces, provides a single DLEq proof (2, not 1+2 elements) by proving the discrete log equality of their aggregate (with an appropriate binding factor). This may be split back up depending on later commentary... 2023-01-01 14:16:09 +00:00			`When multiple nonces are used, with multiple generators, we use a single DLEq`
			proof for all nonces, merging their challenges. This provides a proof of `1 + n`
			elements instead of `2n`.

Document extensions to FROST Also makes misc other doc corrections. 2022-12-08 01:23:25 +00:00			`Finally, to support additive offset signing schemes (accounts, stealth`
			`addresses, randomization), it's possible to specify a scalar offset for keys.`
			`The public key signed for is also offset by this value. During the signing`
3.6.8 Simplify offset splitting This wasn't done prior to be 'leaderless', as now the participant with the lowest ID has an extra step, yet this is still trivial. There's also notable performance benefits to not taking the previous dividing approach, which performed an exp. 2023-03-01 06:06:13 +00:00			`process, the offset is explicitly transcripted. Then, the offset is added to the`
			`participant with the lowest ID.`
Support caching preprocesses in FROST (#190) * Remove the explicit included participants from FROST Now, whoever submits preprocesses becomes the signing set. Better separates preprocess from sign, at the cost of slightly more annoying integrations (Monero needs to now independently lagrange/offset its key images). * Support caching preprocesses Closes https://github.com/serai-dex/serai/issues/40. I could have added a serialization trait to Algorithm and written a ton of data to disk, while requiring Algorithm implementors also accept such work. Instead, I moved preprocess to a seeded RNG (Chacha20) which should be as secure as the regular RNG. Rebuilding from cache simply loads the previously used Chacha seed, making the Algorithm oblivious to the fact it's being rebuilt from a cache. This removes any requirements for it to be modified while guaranteeing equivalency. This builds on the last commit which delayed determining the signing set till post-preprocess acquisition. Unfortunately, that commit did force preprocess from ThresholdView to ThresholdKeys which had visible effects on Monero. Serai will actually need delayed set determination for #163, and overall, it remains better, hence it's inclusion. * Document FROST preprocess caching * Update ethereum to new FROST * Fix bug in Monero offset calculation and update processor 2022-12-09 00:04:35 +00:00
			`# Caching`

			`modular-frost supports caching a preprocess. This is done by having all`
			`preprocesses use a seeded RNG. Accordingly, the entire preprocess can be derived`
			`from the RNG seed, making the cache just the seed.`

			`Reusing preprocesses would enable a third-party to recover your private key`
			`share. Accordingly, you MUST not reuse preprocesses. Third-party knowledge of`
			`your preprocess would also enable their recovery of your private key share.`
			`Accordingly, you MUST treat cached preprocesses with the same security as your`
			`private key share.`

			`Since a reused seed will lead to a reused preprocess, seeded RNGs are generally`
			`frowned upon when doing multisignature operations. This isn't an issue as each`
			`new preprocess obtains a fresh seed from the specified RNG. Assuming the`
			`provided RNG isn't generating the same seed multiple times, the only way for`
			`this seeded RNG to fail is if a preprocess is loaded multiple times, which was`
			`already a failure point.`