Schnorr signature verification
threshold signatures
multi-sigs
blind signatures
...
on-chain
off-chain
Schnorr signature verification
threshold signatures
multi-sigs
blind signatures
...
on-chain
off-chain
\(t-1\) malicious signers
cannot produce
a valid signature.
\(t\) honest signers
can reliably produce
a valid signature
(even if other \(n-t\) signers are malicious).
\(t\)-of-\(n\)
\(\textsf{SchnorrVerify}(\widetilde{pk},\sigma, m)\)
ordinary Schnorr public key
obtained via interactive
Distributed Key Generation (DKG)
ordinary Schnorr signature
obtained via interactive signing protocol involving at least \(t\) honest signers
"FROST: Flexible Round-Optimized Schnorr Threshold Signatures" (Komlo and Goldberg 2020)
Produces ordinary Schnorr signatures
Problem: FROST does not provide Robustness.
ROAST is a wrapper around FROST that
turns it into a robust threshold signing protocol.
ROAST is a wrapper around FROST,
a threshold Schnorr signature protocol.
ROAST turns FROST into a robust protocol.
Coordinator
Coordinator not trusted
for unforgeability
Signer
Signer
Signer
Signer
Conventions
2-of-4 example
2-of-4 example
2-of-4 example
2-of-4 example
?
2-of-4 example
Run a session for every subset of size \(t\).
ROAST is a wrapper around the signing protocol
of FROST, a threshold Schnorr signatures scheme.
ROAST turns FROST into a robust protocol.
?
1
1
?
1
1
1
1
2
2
?
?
Observations
ROAST
Theorem (Robustness, informal)
The coordinator outputs a valid signature after initiating at most \(n-t+1\) signing sessions of FROST.
Proof idea.
Termination: Every signer can hold up at most one session, so \(n-t\) malicious signers can hold up at most \(n-t\) sessions.
Progress: \(t\) honest signers will respond eventually, so we can always eventually start a new session.
ROAST terminates after
\(2(n −t) + 3 = O(n-t)\)
asynchronous rounds.
Elliptic curve operations with fastecdsa library (GMP)
Network
11-of-15 | 67-of-100 | |
---|---|---|
Uncoordinated Attack | 0.6 s | 0.7 s |
Coordinated Attack | 1 s | 7 s |
ROAST turns FROST it into a threshold signing protocol that
Paper: https://ia.cr/2022/550
Prototype: https://github.com/robot-dreams/roast
Signers
Coordinator
Signers
Fraction \(f/(n-t)\) of faulty signers
Runnung time [s]
Fraction \(f/(n-t)\) of faulty signers
Runnung time [s]
OP_CHECKSIGADD
1
1
1
1
1
2
2
1
2
2
1
2
3
3
1
2
3
3
Every signer is pending in at most one session.