FROST Protocol
FROST (Flexible Round-Optimized Schnorr Threshold Signatures)
(Komlo & Goldberg) is a threshold signature scheme that enables a
threshold of signers to create a single, valid Schnorr signature
without any individual participant ever possessing the complete
private key.
FROST operates at a mathematical level. This is unlike traditional
script multisignature which is secured through conditions in Bitcoin
script with multiple public keys. An important feature of FROST is
that the group produces signatures under
a single public key, providing many downstream
benefits including privacy and transaction efficiency.
FROST vs Legacy Multisig
| Feature | Legacy Multisig | Frostsnap |
|---|---|---|
| Transaction fees | ❌ Higher (script overhead) | ✅ Same as single-sig |
| Privacy | ❌ Visible on-chain | ✅ Completely hidden |
| Setup complexity | ❌ Technical, often complicated | ✅ Simple, guided |
| Device flexibility | ❌ Fixed after setup | ✅ Add/remove signers (coming soon) |
| Backup/Recovery | ❌ Descriptor metadata required | ✅ Simple T-of-N |
| Device trust model | ❌ Must trust each device | ✅ No single device trusted |
Evolution from Shamir's Secret Sharing
To understand FROST, it is helpful to first understand Shamir's Secret Sharing (SSS). SSS allows a secret to be split into multiple shares, where a threshold of those shares can reconstruct the original secret. However, SSS has two major security bottlenecks for high-assurance wallets:
- The Trusted Dealer: In standard SSS, one entity must generate the secret before splitting it, creating a single point of failure at the moment of creation.
- Reconstruction: To use the secret (e.g., to sign a transaction), the shares must be gathered and the secret reconstructed in a single location’s memory, creating opportunity for attacks both digital and physical.
FROST solves these issues by ensuring the secret is never instantiated in its entirety. It remains a distributed secret from the moment of generation through the moment of signing.
Threshold Privacy
Unlike legacy Bitcoin multisig (multisig scripts), a FROST signature is a single Schnorr signature and your security configuration is never revealed onchain..
Distributed Entropy
There is no single physical or digital location where the wallet can be compromised. Each device contributes its own randomness to the group key.
Scaleable Efficiency
Transaction fees remain constant regardless of the number of participants. The number of devices in your security arrangement is up to you.
Components of FROST
1. Distributed Key Generation (DKG)
During DKG, participants collaborate to generate a Group Public Key without any single participant ever knowing the corresponding Group Private Key. Each device generates and commits to a secret polynomial, then shares evaluations of that polynomial with other participants.
The result is that each device holds a Key Share. The Group Private Key exists only as the intercept of the collective group polynomial, but it is never actually computed or stored by any device.
2. Round-Optimization: Pre-caching Nonces
Eliminating Rounds of Communication
FROST is a threshold signature scheme particularly well suited
to geographically-distributed hardware since it allows you to
sign in a single round of communication, i.e. you only need to
visit T devices once time.
FROST is Round-Optimized because the first
round of nonce generation can be performed ahead of time,
caching a stockpile of nonces to be used in future signing
sessions on-demand.
When it comes time to sign a transaction, the coordinator simply
chooses a set of unused nonces, allowing devices to sign in a
single round. Nonces are replenished alongside signatures so
that they are seamlessly hidden from users.
3. Signing via Lagrange Interpolation
The core "magic" of FROST signing lies in Lagrange Interpolation. This mathematical technique allows a threshold of participants to compute a valid signature over a message using only their individual shares without ever reconstructing the group secret.
Each participant generates a Partial Signature. The Coordinator then aggregates these partials into a single, standard Schnorr signature. Because of Lagrange interpolation, the individual secret shares are never combined.
The Role of the Coordinator
The Coordinator (the Frostsnap app on your phone or desktop) facilitates the movement of data between hardware devices. Its role is strictly limited to communication and verification:
- Never has access to any Key Shares or the conceptual Group Private Key.
- By verifiably contributing entropy during key generation and signing, the system is protected against compromised random number generators (RNGs) or malicious device behaviour.
- This includes protection against nonce-based exfiltration attacks like Dark Skippy .
Further Reading
Stephan Livera Podcast #476
A discussion on the practical trade-offs and implementation of FROST in the Bitcoin context.
The FROST Whitepaper
The original academic research by Chelsea Komlo and Ian Goldberg.
secp256kfun Implementation
Documentation for the Rust library that powers Frostsnap’s cryptographic operations.
Bitcoin Optech: Threshold Signatures
An overview of how FROST and other threshold schemes integrate with Bitcoin's Taproot.