Documentation / Backup Format

FROST Backup Format

Frostsnap uses a seed phrase FROST Backup Format, designed specifically for FROST threshold signatures.

What a Backup Looks Like

After creating a wallet, you can display a backup on each device, e.g.

#2 GLUE HARVEST MONKEY CONVINCE NATION TOWER CACTUS BELIEVE BOMB LAVA OFTEN FAMILY SENSE MOTION MOVIE APRIL NECK BLESS DAWN LIVE DELAY MAKE NERVE TOSS MELT

  • • A Key Index (e.g., #1, #2, #3) that identifies which index share this backup is for
  • 25 BIP39 words that encode your device's secret share and some checksums

This is intentionally similar to traditional Bitcoin seed phrases, making them familiar and easy to work with using standard backup methods like metal plates.

Not BIP39 Compatible

Important: While Frostsnap backups use BIP39 words, they are NOT compatible with standard BIP39 wallets.

Each backup is a Shamir secret share of your FROST key, not a complete seed phrase. You need a threshold number of these shares (e.g., 2-of-3) to reconstruct your key—no single backup can access your funds alone.

Built-in Security Features

Polynomial Checksum

Each backup includes an 8-bit checksum that helps detect a specific type of attack where a malicious coordinator might try to trick your device into using the wrong public key after restoration.

How it protects you:

When you restore a device from backup, it verifies that the share belongs to the correct key before proceeding. If a malicious coordinator provides an incorrect public key:

  • • Device detects the mismatch with 99.6% probability (255/256 chance)
  • • Immediately alerts you to the malicious coordinator
  • • Terminates the connection permanently
  • • Requires manual intervention to continue

This automated verification is much stronger than traditional multisig, where users must manually verify that all restored devices display identical xpubs—a process often skipped in practice.

Fingerprint Grinding

The FROST Backup Format uses "fingerprint grinding" during key generation to embed a verifiable checksum in the polynomial itself. This enables some powerful features:

  • Automatic share discovery: If you have a mixed collection of backups, Frostsnap can automatically determine which shares belong to the same key
  • No external validation needed: You don't need to look on-chain or rely on external data to verify that backups are correct
  • Cross-system recovery: Backups can be recovered across different implementations that support the FROST Backup Format with compatible fingerprint grinding

Error Detection

The FROST Backup Format includes multiple layers of checksums:

  • Words checksum: The 25th word validates the other 24 words, detecting transcription errors
  • Polynomial checksum: Embedded in the backup to verify the share matches the correct key
  • Fingerprint validation: Ensures all shares discovered together actually belong to the same FROST key

Why the FROST Backup Format?

Traditional Shamir secret sharing for Bitcoin requires either trusting the dealer (who generates all shares) or complex multi-party computation. FROST's distributed key generation solves this—no single party ever knows the complete secret.

The FROST Backup Format is specifically designed to protect these distributed shares, with built-in safeguards against the unique attack vectors that threshold signatures face.

Technical Specification

For developers and those interested in the complete technical details, the full specification includes:

  • • Complete bit layout of the 275-bit encoding
  • • SHA256 checksum calculation details
  • • Polynomial commitment encoding format
  • • Implementation notes for all threshold values including 1-of-1
  • • CLI tools for generating and reconstructing shares
View Full Technical Specification →
← Backup & Recovery Back to Documentation