multi signature – How do MuSig2 and FROST evaluate for multisig key aggregation schemes?

2 views 2:46 am 0 Comments June 6, 2023

You’ll usually use MuSig2 for multisig key aggregation because it has fewer communication rounds (2) and fewer complexity than FROST. The extra complexity is illustrated on this graphic (shared by niftynei on Twitter).


The MuSig2 paper (Nick, Ruffing, Seurin) additionally states:

As compared, the scope of our work is restricted to solely “n-of-n”
multi-signatures, which permits us to optimize for this case and
obtain properties which, within the pure DL setting, are distinctive to
multi-signatures, specifically non-interactive key technology in addition to
non-interactive public key aggregation, two options not provided by
FROST. A serious distinction between our work and their work is the
cryptographic mannequin. The FROST safety proof depends on a non-standard
heuristic which fashions the hash operate (a public primitive) used for
deriving the coefficients for the linear mixture as a one-time VRF
(a primitive with a secret key) within the safety proof. This therapy
requires an extra communication spherical in FROST preprocessing
stage and to disallow concurrent periods on this stage, leading to
a modified scheme FROST-Interactive. As a consequence, the
FROST-Interactive scheme that’s confirmed safe is actually a
three-round scheme and as such differs considerably from the
two-round FROST scheme that’s beneficial for deployment. Komlo and
Goldberg [KG20] present that the safety of FROST-Interactive is implied
by the DL assumption. In distinction, our MuSig2 proofs use the
well-established ROM (or alternatively, AGM+ROM) to mannequin the hash
operate as a random oracle and depend on a falsifiable and weaker
variant of the OMDL assumption.

Nonetheless, Jesse Posner highlighted a few advantages of FROST over MuSig2 at this Sydney Socratic. With FROST you’ll be able to swap out public keys for different public keys or change the multisig scheme, say from a 3-of-3 to a 2-of-2 with no need an onchain transaction. (To do the identical with MuSig2 would want an onchain transaction and MuSig2 doesn’t assist threshold if that’s what you wished to transform to.) So for those who wished to do that this is likely to be a motive to make use of FROST over MuSig2.

Correction (June 2023): What is feasible close to modifying FROST signers and the edge is mentioned on this Nick Farrow gist.

This was additionally mentioned on this London BitDevs Socratic with Tim Ruffing and Elizabeth Crites. It’s difficult by there being competing distributed key technology schemes and doubtlessly completely different FROST requirements between Bitcoin/BIPs and IRTF.

TR: I’m additionally undecided what Jesse is speaking about right here. I believe within the pull request there have been some discussions. What you definitely can do, you’ll be able to downgrade n-of-n to k-of-n. This has been mentioned. For instance swapping out a key to a brand new key, perhaps Elizabeth is aware of extra, there are some key resharing schemes, I’m not likely conscious of these.

EC: Yeah. That’s what I used to be saying about doing the distributed key technology once more. Say you run distributed key technology as soon as and all people has their secret shares of the general group key. At the very least the DKG that’s utilized in conjunction in FROST, the unique one which is what we show in our paper, it’s primarily based on Shamir’s Secret Sharing. There are some fairly commonplace methods to reshare utilizing Shamir. That’s doable. It’s nonetheless non-trivial.

TR: You are able to do resharing however it’s extra like a ahead safety factor. You may’t reshare to a completely new group of signers. You’ll nonetheless belief the previous group of signers.

EC: You may transition from some group of signers to a brand new group of signers additionally. There are methods to reshare the keys. Or you’ll be able to preserve the identical group and reshare a sharing of zero so your shares primarily keep the identical, identical group, or you’ll be able to swap the group of signers. But it surely does contain performing the resharing. There’s just a little bit that needs to be completed there.

MuSig2 and FROST may very well be used collectively in the identical scheme. There may very well be a nested MuSig2 setup inside a FROST setup or vice versa. Moreover for those who wished to maneuver from a MuSig2 setup to a FROST setup MuSig2 keys may be transformed to FROST keys with out altering the combination public key. That’s mentioned right here.

Leave a Reply

Your email address will not be published. Required fields are marked *