FROST Implementers Round Table 2023-11-08

# FROST Implementers Round Table (Agenda, Questions & Notes) ## Agenda 2023-10-08 FROST Implementers Round Table Wednesday, November 8⋅10:00am – 12:00pm Via Zoom: https://us02web.zoom.us/j/83450418554?pwd=S3d1K3E3M2ZiMVJhZDFPb3JPeU1zZz09 A focused round table for designers, developers, and cryptographers on the topic of current FROST reference code, implementations, and standards efforts for both FROST with Ristretto and for secp256k1. Hosted by Christopher Allen of Blockchain Commons. The round table will be recorded, and a video will be edited and made available on YouTube. If you have any questions or problems connecting, contact ChristopherA@LifeWithAlacrity or via Signal at +1-510-908-1066. ### Introductions * Each participate briefly introduct themselves and their role associated with FROST * List repos * For each: * brief update on current status * Any security reviews in progress? * Short-term roadmaps * ZCash FROST * REPO: https://github.com/ZcashFoundation/frost * Demo: https://github.com/ZcashFoundation/frost-zcash-demo/ * Zcash ciphersuites: https://github.com/ZcashFoundation/reddsa/ * DOCS: https://frost.zfnd.org/ * NCC review of Zcash FROST: https://research.nccgroup.com/2023/10/23/public-report-zcash-frost-security-assessment/ * Was all code reviewed, or only ristretto? * Any key differences between the review of the implementations ristretto, sec256pk1, and other curves? * libsecp256k1-zkp * REPO: https://github.com/BlockstreamResearch/secp256k1-zkp/pull/138 (currently WIP, not merged) * Scheme: FROST3 with variant of SimplPedPop ("Olaf") * Short-term roadmap: Signing is more mature than DKG. Move DKG to seperate PR and get signing merged. * Other code bases * Standards Efforts * IETF * IRSG: I-D v15 * CBOR? * COSE: CA has brought it up, not much interest (focusing on Quantum Resistance ) * W3C * BIP * BIP for DKGs based on SimplPedPop * REPO: https://github.com/jonasnick/bip-frost-dkg * WIP, very early stage! * GOAL: Simple DKG with batteries included (=broadcast channel, secure channels, backup, ...). No robustness. * BIP for FROST(3) * (see libsecp256k1-zkp PR) ### Questions & Dialogue #### General Q&A [lightning round/ice breaker] * What do you love most about FROST? * What has been the most difficult about FROST? * What was your biggest road block that you overcame? * What coming up is your biggest concern? #### Distributed Key Generation * What are unimplimented advantages or drawbacks of DKG? * Any progress on quorum rotation? * Any opportunities (or risks) to leverage FROST's DKG and shares for other cryptographic protocols? * Any risks to use FROST for quorum encryption/decription of symmetric keys that encrypt larger packages? #### Trusted Dealer Generation * The Zcash projects also offers Trusted Dealer Generation? Any one else planning to offer it? * * What advantages might Trusted Dealer Generation add? * Any thoughts on Trusted Dealer Generation in personal devices for "self-sovereign" keys? * Should other protocols currently doing SSS transition to leverage the VSS in Trusted Dealer? #### Resilience & Trust * What level of care is needed to protect the generated shares? * What reliability issues? Etc. * Are there concerns of correlation or DOS attacks need to be addressed. * What are the requirements for trust in wallets? * What changes to trust models for wallets are needed given the improvements of DKG. * Can we increase trust by implementing parts of FROST in silicon? #### Curves * Can FROST leverage existing ed25519 key infrastructure by converting to ristretto keys and back? Or do we need to move completely to ristretto for that family of FROST? * Can a single Distributed Key Generation be used for both ristretto and secp256k1? * Can a single Trusted Dealer Generation be used for both ristretto and secp256k1? #### Trusted Channels * FROST requires trusted channels for Distributed Key Generation (DKG). Any particular requirements/progress on these? * Signing doesn't "require" trusted channels, but there are also privacy/correlation issues if signing over untrusted channels. Any requirements/progress on these? * What other kinds of alignment with FROST crypto do we need to work on: identifiers, elligator, anti-correlation, etc. #### Performance * Any particular performance issues with your FROST implementation? * What are the minimal processor requirements? Can we implement on low-power devices? * Are their opportunties to increase performance (and/or increase security) by implementing some algorithms in silicon? #### Standards & Other Protocols * Any opportunties for international standards? * Roadmap for current IETF - * IETF CBOR for FROST data formats? * Any wild-card uses of FROST the community is not considering? #### Cryptography * Any progress on ROAST? Other variants of FROST? * What other proofs can a FROST quorum do? * FROST Schnorr is a "nonaccountable" signature as you don't know who signed, but is there a version where together they can proof which of the members of the quorum did sign? * Any interesting zk-proofs opportunites? * Opportunities to leverage Musig2 with FROST? * Other related cryptography? #### The Next Step * How do we convince more developers to use FROST? * How do we convince users to use FROST? * Any tooling (CLI apps, server apps, testing frameworks, etc.) that would help developers, or that you'd like to see soon? * How do we fund more code reviews? * In addition to hosting activities like these, is there anything else Blockchain Commons can do to help the community? ## Round Table Notes