Trade-offs

Signer Selection Constraint

Issue: You need to choose which devices will be signing at the beginning of a signing session.
This is because FROST requires devices to collaborate under an agreed upon set of nonces that cannot change mid-signing session.

Future Mitigation: This can be alleviated for small threshold multisigs by running parallel signing sessions with differing combinations of signers.

Single Hardware+Software Vendor

Frostsnap is currently the only FROST-based Bitcoin wallet on the market. While we hope to see more vendors adopt FROST in the future, the design already limits the trust placed in any single vendor:

• ❄ Your phone or laptop acts as the coordinating device, verifiably contributing entropy and verifying all sensitive operations performed by the signing devices. This introduces a second, independent hardware vendor into key generation and every signing session.
• ❄ Device firmware upgrades can be built deterministically, allowing anyone to independently verify and validate the code running on the devices.
• ❄ Completely free and open source (MIT license)

Non-Auditability of Aggregated Signatures

Issue: Once signatures are aggregated, you can't determine which devices produced them.

Impact: Not a concern for individual self-custody. May matter for adversarial multisigs.

Mitigation: Could be implemented at genuine software app layer for organisations.

Nonce State Management

Critical consideration: Nonce reuse would compromise security.

Solution: AB flash storage techniques guarantee nonces are irreversibly erased before signatures are sent. Resistant to flash degradation and reset.

Physical security: For nonce reuse attack, attacker needs threshold number of geographically separated devices.