Schnorr signature verification
threshold signatures
multi-sigs
blind signatures
...
on-chain
off-chain
\(t-1\) malicious signers
cannot produce
a valid signature.
\(t\) honest signers
can reliably produce
a valid signature.
(Anti-DoS)
\(t\)-of-\(n\)
OP_CHECKSIGADD
Threshold signatures should look like ordinary Schnorr signatures!
"FROST: Flexible Round-Optimized Schnorr Threshold Signatures" (Komlo and Goldberg 2020)
Problem:
FROST does not provide Robustness.
Coordinator
Not trusted for unforgeability
Relied upon for robustness
Signer
Signer
Signer
Signer
?
ROAST is a wrapper around FROST that
turns it into a robust threshold signing protocol.
Conventions
?
Run a session for every subset of size \(t\).
?
?
Observations
ROAST
1
1
1
1
1
2
2
1
2
2
1
2
3
3
1
2
3
3
Every signer is pending in at most one session.
Theorem (Robustness, informal)
The coordinator outputs a valid signature after initiating at most \(n-t+1\) signing sessions of FROST.
Proof idea.
Every signer can hold up at most one session, so
\(n-t\) disruptive signers can hold up at most \(n-t\) sessions.
\(t\) honest signers will respond eventually, so we can always start a new session and make progress.
Elliptic curve operations with fastecdsa library (GMP)
Network
Simulated Attacker:
\(n-t\) malicious signers crash after nonce round
11-of-15 | 67-of-100 | |
---|---|---|
Uncoordinated Attack | 0.6 s | 0.7 s |
Coordinated Attack | 1 s | 7 s |
ROAST turns FROST it into a threshold signing protocol that
This talk: https://slides.com/real-or-random/roast-tabconf22/
Paper: https://ia.cr/2022/550
Blog post: https://medium.com/blockstream/ddda55a07d1b
Prototype: https://github.com/robot-dreams/roast