Re: [Cfrg] Call for adoption: Threshold Signatures

Chelsea Komlo <> Tue, 20 October 2020 14:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EAA3C3A0B39 for <>; Tue, 20 Oct 2020 07:25:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vC1SsLDqkY9m for <>; Tue, 20 Oct 2020 07:25:12 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 812923A0C67 for <>; Tue, 20 Oct 2020 07:25:12 -0700 (PDT)
Received: from pps.filterd ( []) by ( with SMTP id 09KEN6Mx006517; Tue, 20 Oct 2020 10:25:06 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=default; bh=ECS+/GFuM1K+D5tXBbAZqiCaWZVU8M5Xz8Ec533ki/Q=; b=RiexRoNwnkIIBg5p5p/RnPIib0YaGWRELiofeNOqVgGVltHmqJLCwIGluIF9u5r2JwJq j2IjNImmcSSldQcv1E9+/bvmoskxeA9wOycwwQL2IJaFYLbtEKQzCyyM/ZMAJjq2tSg4 eYd1d8S0Shrot7QNaRy+4XIygiUxaqxKzII=
Received: from ( []) by with ESMTP id 347tphcb0u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT); Tue, 20 Oct 2020 10:25:06 -0400
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2044.4; Tue, 20 Oct 2020 10:25:05 -0400
Received: from ([fe80::28cc:77d3:dedf:a4e9]) by ([fe80::28cc:77d3:dedf:a4e9%18]) with mapi id 15.01.2044.004; Tue, 20 Oct 2020 10:25:05 -0400
From: Chelsea Komlo <>
To: Jeff Burdges <>, Nick Sullivan <>, IRTF CFRG <>
Thread-Topic: [Cfrg] Call for adoption: Threshold Signatures
Thread-Index: AQHWnZDi+VMQ29Y2Mkaes3ik/2ZS3qmULfgAgAxtE3Q=
Date: Tue, 20 Oct 2020 14:25:05 +0000
Message-ID: <>
References: <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_7bf9af1aaa00475e95a98b6aa360d5fcuwaterlooca_"
MIME-Version: 1.0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 clxscore=1011 suspectscore=0 adultscore=0 lowpriorityscore=0 spamscore=0 priorityscore=1501 phishscore=0 mlxscore=0 bulkscore=0 impostorscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2010200098
Archived-At: <>
Subject: Re: [Cfrg] Call for adoption: Threshold Signatures
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 20 Oct 2020 14:25:15 -0000

Hi Jeff,

Optimization to a single-round signing scheme. The ability to perform single-round (or async) signing is desirable for many implementers (and publishing public ephemeral values is a common technique in other cryptographic protocols). While misuse is possible, rollback issues are also possible in a two-round scheme as checkpoints can occur between rounds.

However, we believe discussion and the decision on this point should be made in the working group, so we won't elaborate further.

Proof of Security for FROST. We have carefully reviewed your points in this email and eprint. As you said, your proof technique cannot be extended to prove the security of FROST. However, this result does not entail that FROST is insecure. We also want to highlight the MuSig2 paper [1] that also independently discovered the "binding" (or "delinearization") technique that FROST uses. Their proof is in the AGM+ROM, and proves security for two nonces when the binding factor for the first nonce is 1 (exactly the pattern that we use in FROST). We can certainly provide more explanation of our proof and how it compares to proving security in the AGM.

Happy to answer other questions, but we would prefer more in-depth discussion in the working group.

Chelsea and Ian


From: Cfrg <> on behalf of Jeff Burdges <>
Sent: Monday, October 12, 2020 12:27 AM
To: Nick Sullivan; IRTF CFRG
Subject: Re: [Cfrg] Call for adoption: Threshold Signatures

> On 8 Oct 2020, at 18:33, Nick Sullivan <> wrote:
> Please give your views on the following questions:
> a) should this topic be adopted by the CFRG as a work item, and if so

There are numerous crap multi-signature implementations so yes maybe a good time.

> b) should one or both of these documents should be considered as a starting point for this work

I’ve not looked closely at either draft, so I’ll need to do so, but..

I do think a deliniarized witness approach works best, like what we deployed in January or what FROST switched to in July.  I’ll therefore only comment on two issues I see with the FROST paper.

1. Flexible rounds are a foot gun

These “flexible rounds” seem dangerous because they make witness freshness an implementation detail external to the cryptographic code.   I’m sure ZCash could deploy flexible rounds security for their use case because they work quite closely with their wallet developers.  It’s unlikely however that most organizations could deploy flexible rounds securely.  I’d therefore suggest that anything about flexible rounds be excluded from standards.

Also, there are actually three choices here, (1) MuSig-DN requires agreements by the first round, (2) deliniarized witnesses permit agreement on message and signer by the second round, and (3) flexible rounds abuses deliniarized witnesses by allowing "pre-witnesses” to be saved to disk to combine many first rounds into one setup round.

If you do want flexible rounds then you need quite patient and careful developers who do not mind inspecting the details of storage code, all application error handling, etc.  It’ll be very messy and expensive work.  I guess a TEE helps.

I’ve not even checked if the draft discusses flexible rounds.  If not, then no changes anyways.

2. FROST has no security proof

FORST has a proof for an interactive protocol, which they follow with a heuristic resembling Fiat-Shamir but "cross session".  It’s exactly this sort of argument against which Drijvers, et al. warned!  There is a time and place for heuristic arguments, but not right after Drijvers, et al. broke so many related arguments in

Also FROST also confuses this situation with their “one-shot VRF” terminology.  It’s true deliniarization produces PRF-like properties, but the resulting PRF is nothing like a VRF because the parameter acts differently.  If this miss-leading VRF terminology appears then it should be removed.

All that said, we have in what should be a correct security proof in AGM+ROM+KOSK+OMDL [0] for a related scheme, to which I gave the uninspired name 2-DWMS.  I’ll caution anyone who reads the proof that, although we never say forking or rewinding, our probabilistic method argument and H_0 tweak do use in full force that the Schnorr challenge oracle H is a random function (ROM).

Round 1.  Each candidate signer i proposes two pre-witnesses T_{i,j} = t_{i,j} G for j=1,2 (the 2-).
Round 2.  After agreement upon the message msg and signers [1] then everyone computes the aggregate public key X, a transcript of this data and the pre-witnesses
     trns = (msg, X, T_{1,1},T_{1,2},T_{2,1},…,T_{n,1},T_{n,2})
  and delinearization factors  \alpha_{i,j} = H_1(trns, i, j)  and a shared witness  S = \sum_{i,j} \alpha_{i,j} T_{i,j}.  Also compute and send a partial signature
     s_i = H(msg, X, S) sk_i + \alpha_{i,1} t_{i,1} + \alpha_{i,2} t_{i,2}
where sk_i is the ith signers secret key tweaked by Lagrange coefficients or whatever your scheme requires.

We broke 1-DWMS that delinearizes just one pre-witness.  FROST uses “1.5”-DWMS where signers supply two pre-witnesses (same first round), but alpha_{i,1} = 1 instead being a random oracle (one less scalar multiplication).  We broke the “1.5”-Entwined ROS property used internally by our security proof, so our security arguments depends upon alpha_{i,1} being a random oracle.  You therefore cannot deduce security for “1.5”-DWMS aka FROST using our current results.

At first I thought “1.5”-DWMS might be breakable with 1024 parallel sessions, but..  We'll likely prove security for “1.5”-DWMS after some recent improvements elsewhere, although this requires convincing myself of one fishy step.

Assuming we prove “1.5”-DWMS aka FROST to be secure, then there remains a sticky situation:  I suspect the “1.5”-entwined ROS break means alpha_{i,1} being a random oracle matters for some use cases like implicit certificates, and maybe even some “adaptor" signatures, meaning FROST becomes insecure under some Schnorr-like schemes with different verification rules.

As a standard, I’d tentatively suggest we "take the high road” by recommending 2-DWMS over “1.5”-DWMS, so that alpha_{i,1} becomes a random oracle in this draft, and each signer does one extra scalar multiplication per signer.  Again I’ve nothing concrete here so I might change my mind!  We should anyways caution users about using altered verification like implicit certificates, etc. without adapting security proofs to their altered verification.

> c) are you willing to help work on this item and/or review it

Yes in principle.  I suppose a draft normally cites external resources for formal arguments, yes?  If folk wish I could supply brief comments on correctly proving security for deliniarized witness schemes.  I’ll figure out if our improved proof applies to “1.5”-DWMS regardless.


[0]  AGM can mean several things, and the name sucks, but we need an AGM that lives closer to GGM than some extractor variants.

[1]  As hinted above, agreeing upon the signer set and message by the second round is much weaker than “flexible rounds” like FROST proposes.  FROST proposes that the pre-witness secrets t_{i,j} be saved to disk, so then restoring from backups compromises users' secret keys (either if done twice or if done once and under a k-sum attack).

Cfrg mailing list