The Engineering Perspective of Threshold Signatures: Enhancing FROST with ROAST and Analyzing the Viability of SPRINT

# Description Title: The Engineering Perspective of Threshold Signatures: Enhancing FROST with ROAST and Analyzing the Viability of SPRINT ### What is this talk about? Give us as many details as possible. 1. Rough overview of threshold signatures to set the stage. I will begin by explaining the rough details of threshold signatures and their significance to Bitcoin for secure `t` of `n` multisig vaults in contrast to `musig2` `n` of `n` vaults. 2. Assessing the viability of FROST in a production multisig. FROST was designed as a synchronous protocol which is a non-starter for production systems. Adapting it to be asynchronous such that it can be viable is also difficult given that there is a `tCn` combinatorial involved in constructing `t` of `n` signing groups that is near impossible to manage with uncoordinated asynchronous signing rounds. I will explain some naive approaches to solving this problem and why it prevents production usage of FROST. 3. ROAST - the solution to FROST's combinatorial issues. ROAST reduces the total number of potential signing groups from `tCn` to `n-t`. This makes it possible to securely execute asynchronous signing rounds such that FROST can be used in production. Both Luke Parker at Serai and I have individually worked on this solution, encountering various challenges along the way. In this discussion, I will address some of the issues that have been identified during our respective engineering efforts, as well as my involvement with the development of ROAST for the Spiderchain at Botanix. 4. Assessing the viability of SPRINT in a production multisig. SPRINT is robust without any synchrony assumptions, therefore it can provide greater throughput than FROST and be theoretically viable in production. However, SPRINT is only secure in very restricted modes of operation. Specifically, to avoid a subexponential attack, only a limited number of presignatures may be produced in advance of signing requests, which somewhat defeats the purpose of presignatures. 5. The many faces of Schnorr is the silver bullet of this problem. Victor Shoup showed in his paper that techniques from FROST and SPRINT can be combined to build a threshold Schnorr signing protocol that (i) is secure and robust without synchrony assumptions (like SPRINT), (ii) provides security even with an unlimited number of presignatures, and (assuming unused presignatures are available) signing requests can be processed concurrently with minimal latency (like FROST), (iii) achieves high throughput (like SPRINT), and (iv) achieves optimal resilience. I will detail the engineering challenges in implementing Shoup's ideas and how I am thinking of approaching them. ### What would an attendee learn from this talk? Attendees will gain insights into how some of the theories behind constructing threshold signature multisig vaults can be engineered: 1. A rough understanding of threshold signatures in the context of multisig vaults. The talk will provide a comprehensive overview of threshold signatures, their significance in the context of Bitcoin, and their role in securing multisig vaults. 2. Ability to explain the challenges of FROST in production multisig: I will assess the viability of FROST, a synchronous protocol, in real-world multisig applications. Attendees will gain insights into the challenges of adapting FROST to an asynchronous setting and the complexities involved in constructing signing groups for uncoordinated asynchronous signing rounds. 3. Ability to explain why SPRINT is not viable in production: Attendees will understand how SPRINT offers higher throughput compared to FROST but is limited in specific modes of operation. The limitations, particularly related to the number of presignatures, will be explored, shedding light on its practicality in production multisig setups. 4. Things to know before trying to implement ROAST: Attendees will learn how ROAST reduces the number of potential signing groups, making it possible to securely execute asynchronous signing rounds and, thus, enabling FROST's practical usage in production systems. 5. Understanding of challenges presented by Victor Shoup's groundbreaking research: The engineering hurdles involved in implementing Shoup's ideas will be discussed, along with potential approaches to overcome them. Overall, attendees will gain a comprehensive understanding of various threshold signature schemes, their practicality in production multisig environments, and the exciting possibilities presented by combining techniques from different protocols to achieve optimal security and efficiency in threshold signing. ### Is there anything folks should read up on before they attend this talk? Yes. The linked eprint papers are strongly recommended to at least be skimmed before the talk. ### Relevant Links - ROAST: https://eprint.iacr.org/2022/550.pdf - FROST: https://eprint.iacr.org/2020/852 - SPRINT: https://eprint.iacr.org/2023/427.pdf - The many faces of Schnorr: https://eprint.iacr.org/2023/1019 # About the Speaker ### Social Links Github https://github.com/botanix-labs Twitter https://twitter.com/botanixlabs Website https://botanixlabs.xyz/ # Talk Details ### Length of Talk 60 minutes ### Preferred Day/Time Slot Anything works