FROST
FROST
FROST: Flexible Round-Optimized Schnorr Threshold Signatures
threshold signature
基于schnorr signature, 注意c=H(R, Y, m)
Feldman’s Verifiable Secret Sharing (VSS) Scheme
t-1阶多项式f, f(0)=s,coffients为(a1, . . . , at−1)
distributing the private share (i, f (i)) to each participant Pi
C = 〈φ0, . . . , φt−1〉
φ0 = g^s
φj = g^aj
显然,可以用Lagrange校验
KeyGen
基于VSS。
Round 1:
每个Pi都随机生成自己的fi, 以ai0为私钥计算φi0=g^ai0的schnorr signature σi, 广播σi、Ci = 〈φi0, . . . , φi(t−1)〉。
Round 2:
Each Pi securely sends to each other participant Pl a secret share (l, fi(l))
Pi 校验g^fl(i)等于φlk^(i^k mod q), 0 ≤ k ≤ t-1的积,相当于Pi确认fi(l)与Pl发布的Cl匹配
Pi 计算
si = ∑ fl(i), 1 ≤ l ≤ n
Yi = g^si
Y = ∏ φj0, 1 ≤ j ≤ n
其他Pj可以校验Yi = ∏ ∏ φlk^(i^k mod q), 0 ≤ k ≤ t-1; 1 ≤ l ≤ n
si相当于每个Participants的f在i上取值的和,作为Pi的私钥
而Y相当于以每个Participants的f的0上取值的和求幂, 即为公共Public Key
Preprocess for signing
每个Pi随机生成nonce list ` ((dij , Dij), (eij , Eij)), 1 ≤ j ≤ π, Li是(Dij, Eij), 1 ≤ j ≤ π`的集合
一次Preprocess生成的π份nonce,可以算π次signature
用过即删
Signing
SA为此次Signing选择α : t ≤ α ≤ n participants, the next available commitment (Di, Ei) : i ∈ S集合记为B。
ρi = H1(i, m, B)
ki = di + ei · ρi
Ri = Di · Ei^(ρi)
zi = di + (ei · ρi) + λi · si · c
verify g^(zi) = Ri · Yi^(c·λi)
R = ∏ Ri, i∈S
z = ∑ zi, i∈S
σ = (R, z)
verify R = g^z · Y^(-c)
显然,secret nonce相当于k = ∑ki i∈S
FROST-Interactive
主要是ρi的区别
Preprocess
(i, 〈(Dij , Eij , Aij , Bij )〉, 1 ≤ j ≤ π)
注意Aij, Bij用于辅助校验ρi
Signing
SA公开所有ρi
ρi = aij + bij · Hρ(m, B)
每个Participant校验
g^ρi = = Aij · Bij^(Hρ(m,B))
ietf draft
Two-Round Threshold Schnorr Signatures with FROST
参数名贼长。。。
hiding_nonce: di
hiding_nonce_commitment: Di
binding_nonce: ei
binding_nonce_commitment_i: Ei
binding_factor: ρi
