A Deep-dive into FROST

Flexible Round-Optimized Schnorr Threshold (FROST) underpins the security and decentralization of the Bitcoin side of BitSafe’s CBTC. As a threshold signature scheme, FROST enables a group of participants to collectively generate a single Schnorr signature, without any single participant ever having access to the full private key. This document provides a comprehensive technical overview of FROST, its integration with CBTC, and the significant advantages it offers for institutional Bitcoin custody

1. Understanding FROST

1.1. What is FROST?

FROST is a threshold signature scheme that allows for the creation of Schnorr signatures from a distributed set of key shares. In a FROST deployment, a single private key is split into multiple shares, and a predefined threshold of share-holders must cooperate to generate a valid signature. This is achieved without ever reconstructing the full private key, thereby eliminating single points of failure and significantly enhancing security. The resulting signature is indistinguishable from a standard, single-party Schnorr signature, providing both privacy and efficiency.

1.2. Why FROST for CBTC?

The selection of FROST for decentralized control of the BTC in our on-chain Bitcoin network vault was a deliberate choice, driven by its clear advantages over traditional multisignature schemes and other threshold signature protocols.

While other threshold signature schemes like MuSig2 exist, FROST was chosen for its flexibility, round-optimization, and strong security guarantees. FROST's design specifically addresses and mitigates known forgery attacks that could affect other similar Schnorr threshold signature schemes.

2. How FROST Works

The FROST protocol is designed to be both secure and efficient, with a clear and well-defined process for key generation, signing, and verification. This section provides a high-level overview of the mechanics of FROST.

2.1. Key Generation

Before a FROST signing group can be established, a set of key shares must be generated and distributed to the participants. FROST supports two primary methods for key generation:

• Trusted Dealer Generation: In this method, a single, trusted entity generates the full private key and then splits it into multiple shares, which are then securely distributed to the participants. While simpler to implement, this approach introduces a single point of trust and requires the full private key to exist in memory at one point, which may not be suitable for all security models.

• Distributed Key Generation (DKG): DKG is a more secure and decentralized method where participants collaboratively generate the group's public key and their individual secret shares without any single party ever having access to the full private key. This is a multi-round process that ensures no single point of failure and is the preferred method for high-security applications like CBTC.

Upon completion of the key generation process, each participant holds a unique secret share, a corresponding verifying share, and the group's overall verifying key.

2.2. The Signing Process

The FROST signing process is a two-round protocol that is coordinated by a designated entity, which can be one of the signers or a separate, non-signing entity. In the context of CBTC, this role is performed by the Coordinator on the Bitcoin network.

1. Round One: Commitment: The Coordinator initiates the signing process by selecting the message to be signed and the set of participants (Attestors) who will take part in the signing. Each selected participant then generates a fresh set of nonces and their corresponding public commitments, which are sent to the Coordinator.

2. Round Two: Signature Share Generation: The Coordinator collects the commitments from all participants and broadcasts them to the entire group. Each participant then verifies the commitments and, if they are valid, computes their individual signature share. This signature share is then sent back to the Coordinator.

2.3. Signature Aggregation and Verification

Once the Coordinator has received a threshold of valid signature shares, it can aggregate them into a single, final Schnorr signature. This aggregated signature is then verified against the group's public key. If the signature is valid, the transaction is authorized.

The final signature is a standard Schnorr signature and can be verified by any standard Schnorr verifier. This is a key feature of FROST, as it ensures compatibility with existing Bitcoin infrastructure and maintains the privacy of the underlying threshold security model.

3. Advanced Features and Security

FROST includes several advanced features that enhance its security and flexibility, making it a robust solution for long-term, high-value asset management.

3.1. Share Resharing and Revocation

One of the most powerful features of FROST is the ability to perform Verifiable Secret Resharing (VSR). This process allows the participants to generate a new set of shares for the same group verifying key, effectively revoking the old shares. This is a critical feature for maintaining the long-term security of the signing group.

This process has several important use cases:

• Revoking Exposed Shares: If a participant's secret share is compromised, the group can perform a resharing operation to generate new shares, rendering the compromised share useless.

• Protecting Against Mobile Adversaries: In a scenario where an attacker slowly compromises participants over time, regular resharing operations can proactively revoke any compromised shares, forcing the attacker to start over.

• Changing the Group Composition: Resharing can be used to add or remove participants from the signing group, or to change the signing threshold, providing flexibility in the governance of the system.

3.2. Security Model

The security of FROST is based on strong cryptographic assumptions and a well-defined security model. The protocol is designed to be secure against a malicious adversary who can corrupt up to t-1 participants, where t is the signing threshold.

FROST provides protection against a number of known attacks, including:

• Forgery Attacks: The design of FROST specifically mitigates certain forgery attacks that can affect other Schnorr-based threshold signature schemes.

• The "Forget-and-Forgive" Attack: This is a potential attack in resharing protocols where a malicious participant can cause a split in the group, with some participants holding old shares and others holding new shares. FROST's resharing protocol includes an acknowledgment step that prevents this attack by ensuring that all participants have successfully received and verified their new shares before the old shares are deleted.

The security of the FROST protocol is formally proven in the original research paper and is further detailed in the official RFC.

4. FROST in CBTC: Implementation Details

BitSafe's implementation of FROST for CBTC’s Bitcoin-side architecture leverages the protocol's security and efficiency advantages within a carefully designed architecture that bridges Bitcoin and Canton networks.

4.1. Attestor Network Architecture

The CBTC system operates through a decentralized network of institutional-grade Attestors. The network currently consists of 9 pre-screened external node operators (including established providers like P2P and Everstake) alongside 1 BitSafe-operated node. Each operator maintains over $1 billion in Assets Under Management (AUM), ensuring both technical expertise and financial incentives to maintain system integrity.

Each Attestor operates nodes on both the Bitcoin and Canton networks, enabling them to participate in the threshold signing process for Bitcoin transactions while also coordinating through Canton's governance mechanisms.

4.2. Coordinator and Governance Integration

The system employs a Coordinator that executes periodic checks every 60-120 seconds, monitors deposit accounts, constructs Bitcoin transactions, and submits governance actions. The Coordinator works in conjunction with the Attestor network through the BitSafe governance module on the Bitcoin network, where each Attestor must submit their confirmation signatures independently for critical actions like deposit confirmations and withdrawal authorizations.

4.3. Threshold Signing Process

FROST enables the Attestor network to collectively authorize Bitcoin transactions through a group threshold signing process. When Bitcoin transactions need to be authorized (such as for withdrawals), a threshold of Attestors must cooperate to generate valid signatures. This process ensures that no single party, including the Coordinator, can unilaterally move Bitcoin funds.

The integration with Taproot addresses ensures compatibility with modern Bitcoin infrastructure while maintaining the privacy benefits of FROST signatures, which are indistinguishable from regular Bitcoin transactions on-chain.

4.4. Dual-Network Security Model

The CBTC system's security relies on coordination between two networks: Bitcoin Layer-1 for final settlement and the Canton network for governance and coordination. This dual-network approach ensures that both Bitcoin custody and CBTC token operations are secured by the same decentralized Attestor network, creating seamless security across both blockchains.

5. More Reading

[1] Komlo, C., and I. Goldberg, "The Flexible Round-Optimized Schnorr Threshold (FROST) Protocol for Two-Round Schnorr Signatures", RFC 9591, DOI 10.17487/RFC9591, June 2024, https://www.rfc-editor.org/info/rfc9591.

[2] Zcash Foundation, "Understanding FROST", https://frost.zfnd.org/frost.html.

[3] "FROST Resharing Readme", Notion, https://www.notion.so/FROST-Resharing-Readme-1cf636dd0ba58034ac25f1002fdea8cf?pvs=4.

[4] Komlo, C., & Goldberg, I. (2020). "FROST: Flexible Round-Optimized Schnorr Threshold Signatures". In Cryptology ePrint Archive, Report 2020/852. https://eprint.iacr.org/2020/852.