FROST implementation #2225
FROST implementation #2225
Conversation
|
CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅ |
github-actions
bot
added
the
admin-review
|
I have read and hereby sign the Contributor License Agreement. |
Fiono11
force-pushed
the
master
branch
2 times, most recently
from
a931676
to
6a16b83
Compare
Fiono11
force-pushed
the
master
branch
21 times, most recently
from
fdcbdb8
to
574a8f8
Compare
Fiono11
force-pushed
the
master
branch
2 times, most recently
from
9d2cbc3
to
af41a3a
Compare
Fiono11
force-pushed
the
master
branch
2 times, most recently
from
d2e5edd
to
fd19b07
Compare
|
|
||
| The high level flow of the DKG protocol is the following: | ||
| 1. One participant sends the message to start the DKG to the server, which includes the addresses of the participants, the threshold $t$ and a commitment random polynomial of degree $t - 1$. | ||
| 2. The server verifies the message, asks if the other wallets want to participate in the protocol and, if yes, sends the first message to them. |
There was a problem hiding this comment.
@Fiono11 since this happens off-chain (if I understand correctly), which address/network protocol (see step 1) does the server use to contact the participants?
There was a problem hiding this comment.
This would happen off-chain, yes. The network protocol used would be Secure WebSockets (WSS). The idea is that each client (wallet), if interested, would connect to the server (whose address would be hardcoded in the wallet) through an authenticated channel and the server would do the mapping between the public key addresses (accounts) and the network addresses of the clients, so that it can forward the messages between them.
| <table align="center"> | ||
| <tr> | ||
| <td><img src="https://github.com/Fiono11/grant-/blob/main/create.jpg?raw=true" alt="Create Image" style="max-width: 100%;"></td> | ||
| <td><img src="https://github.com/Fiono11/grant-/blob/main/transfer.jpg?raw=true" alt="Transfer Image" style="max-width: 100%;"></td> | ||
| </tr> | ||
| </table> |
There was a problem hiding this comment.
Has Talisman consent to you using their logos and branding here? If not, I suggest to change it.
applications/FROST.md
Outdated
| ### Milestone 1 - FROST Protocol Libraries Implementation | ||
|
|
||
| - **Estimated duration:** 1 month | ||
| - **FTE:** 1 | ||
| - **Costs:** 5,000 USD | ||
|
|
||
| | Number | Deliverable | Specification | | ||
| | -----: | ----------- | ------------- | | ||
| | **0a.** | License | GPLv3 | | ||
| | **0b.** | Documentation | We will provide both **inline documentation** of the code and a basic **tutorial** that explains how a user can use both libraries to implement the FROST protocol, which will show how the new functionality works. | | ||
| | **0c.** | Testing and Testing Guide | Core functions will be fully covered by comprehensive unit tests to ensure functionality and robustness. In the guide, we will describe how to run these tests. | | ||
| | **0d.** | Article | We will publish an **article**/workshop that explains how the FROST protocol and the libraries work. | | ||
| | **1.a** | Client-side library | We will implement a client-side library for the FROST protocol compatible with Substrate in Typescript. | | ||
| | **1.b** | Server-side library | We will implement a server-side library for the FROST protocol compatible with Substrate in Rust. | | ||
|
|
||
| ### Milestone 2 - Proof of Concept Threshold Signature Implementation | ||
|
|
||
| - **Estimated duration:** 1 month | ||
| - **FTE:** 1 | ||
| - **Costs:** 5,000 USD | ||
|
|
||
| | Number | Deliverable | Specification | | ||
| | -----: | ----------- | ------------- | | ||
| | **0a.** | License | GPLv3 | | ||
| | **0b.** | Documentation | We will provide both **inline documentation** of the code and a basic **tutorial** that explains how a group of users can generate a shared public key and use the corresponding secret key to sign threshold signatures multiple times without revealing it, which will show how the new functionality works. | | ||
| | **0c.** | Testing and Testing Guide | Core functions will be fully covered by comprehensive unit tests to ensure functionality and robustness. In the guide, we will describe how to run these tests. | | ||
| | **0d.** | Article | We will publish an **article**/workshop that explains how the Proof of Concept works under the hood and how it can be used from a user perspective. | | ||
| | **1.a** | Client Implementation | We will implement a client in Typescript compatible with Substrate as a fork of Talisman (https://github.com/TalismanSociety/talisman) using the client-side library. | | ||
| | **1.b** | Server Implementation | We will implement a server in Rust compatible with Substrate using the server-side library. | | ||
| | **1.c** | Proof of Concept Threshold Signature Implementation | We will integrate both the client and the server as a Proof of Concept Threshold Signature implementation compatible with Substrate and ready to be utilized by the end user. | |
There was a problem hiding this comment.
Could you add the Docker deliverable here as well, as it's usually mandatory?
There was a problem hiding this comment.
I force pushed by mistake doing this, sorry.
takahser
added
the
changes requested
|
I'll remark that FROST like protocols fit concensus poorly, due to their aborts problem. In FROST, the FRO represents an attempt to address this, but not really successful, and afaik its abandonded in standards work. As an exception a third round concensus protocol like BEEFY could deploy something more complex. Anyways.. FROST-like protocols are quite useful for accounts of course, which you're seemingly focused on here. In principle, any DKG works among a small signer set, but there is seemingly new DKG work that should be considered asking for code. We'll look into it some. It's worth discussing soft derivations perhaps too. As an aside, there were two original proofs of security for FROST-like protocols, the one by me, and the one by blockstream. FROST never had a security proof, though later Mary Maller & Elizabeth crites did one that's more modular than the original proofs. Anyways.. I doubt substrate has much bearing upon the threshold signing by accounts. We'd instead want:
Afaik, there is no substrate integration at all, but maybe something like the bip39 thing being sucked in makes a mess of derivations. I'm happy to dizcuss this further, maybe on some call, but I really should get cautht up on the Dan Boneh's new DKG idea first. It's maybe just overkill for accounts, but.. |
|
Anyways, these are the two schnorrkel issues on doing this: w3f/schnorrkel#12 As you're only asking for $10k, I think the schnorrkel side plus some sort of proof-of-concent usage, even just command line, suffices. In other words, the crypto devliverables should be schnorrkel PRs. The one part that I'm kind picky about is that the abstraction in schnorrkel be clean-ish. I do not seem to have explained what that means well in those issues, but one reasons is it maybe worth doing the VRF version too sometime in the future. Anyways let's chat briefly sometime. We can ignore Dan Boneh's DKG I think, since at minimum it'd require defining some new curve, and using bulletproofs. |
Thanks for the feedback, Jeff! What about ROAST? It may provide the robustness that FROST like protocols lack. Interestingly, while doing research, I found this thread where Victor Shoup hints that IC is adapting their robust threshold ECDSA to Schnorr here. However, I did not find any public development about this. |
I will have a look at these issues and then send you an email so that we can chat more. Overall, I think that this work may provide a good basis for future developments and new important use cases . |
|
After some more research, my comments regarding Jeff's feedback are the following:
Taking this into account, I think it makes sense to close this application and create a new one that follows the direction of Jeff's ideas in this initial stage. So, the milestones of the project would be something like this:
What do you think, @burdges ? Either way, I sent you an email if you want to talk more. |
@Fiono11 in that case, I'm going to close this PR. Feel free to open up a new one, once you think it's ready. You can still comment on this PR to keep the conversation going, or you can do it via email, it's up to you. @burdges thanks for your participation! |
|
In milestone 1, I do deliverables 1 & 2 in the opposite order myself, but they're kinda orthogonal really, so this maybe a matter of taste. We'll chat with Elizabeth Crites sometime, since she works for us now. We've many issues beoing discussed by the standards folk, only some of which I've followed closely. We'll want linear combination shared across participants I think, not sure what they call this. I still dislike this being called FROST beccause the FRO part failed completely. How do we index participants? I'd lean towards randomly becuase then one can hide the number of participants this way. I'm afraid this kills FFT options, but that's not really available in curve25519-dalek anyways, and the merkle tree usage could mess things up. Ain't so clear this matter though. |
I do not think the FRO refers to the robustness of the protocol but to the fact that you can commit many pair of nonces in the preprocessing signing stage. If you do that, you can sign with only one round instead of two, hence the flexible part. I believe the linear combination shared across participants you are referring to is the FROST2 optimization (being Elizabeth Crites one of the authors of the paper), where the hash value used in the linear combination of each pair of nonces is shared between signers. Anyway, I will write the new application and then we can iron out the details. |
|
FRO = Flexible round optimized It refers to batching the first round. If you batch the first round, then you must prevent nonce reuse somehow, which becomes a hardware problem, meaning you cannot simply persist them to disk on a typical computer. Instead, you need either the ephemeral natue of RAM, which you enforce in rust using session types, or else if you must persist them then you need special hardware that prevents missuse, like a hardware signer or TEE. In brief, we should not implement FROST per se, in the sense that we should use session types to prevent the FRO. I think the standards process envisions removing the FRO but keeping the name FROST, FROST2, etc. Anyways.. Appologies for being MIA over the last week, at a conference. I'm basically not worried about the struggle over exact security assumptions, so I'm happy to use the most flexible FROST flavor, afaik none of them become too complex. We can chat voice sometime maybe? |
Makes sense. But, in practice, is encrypting and deleting the nonces from the disk after using it good enough, security wise? Anyway, they indeed removed the FRO in the standard draft but kept the name FROST, which is a little bit confusing. Sure! Feel free to respond to the email I sent you to arranje a meeting. Either way, I submitted the new application in PR #2250, if you want to review it. |
Project Abstract
This document outlines the proposal for implementing FROST, a threshold signature protocol based on the Schnorr signature scheme, within the Substrate ecosystem. It provides a more scalable, cheaper, more user-friendly and privacy-preserving alternative to current multisig solutions. This protocol is particularly designed for scenarios with a large number of signers, ensuring both efficiency and signer anonymity.
Grant level
Application Checklist
project_name.md).@_______:matrix.org(change the homeserver if you use a different one)