Threshold Signature Implementation

[Fiono11]

Project Abstract

This document outlines the proposal for implementing Olaf, a protocol that combines FROST, a threshold signature scheme based on the Schnorr signature, with SimplPedPoP, a Distributed Key Generation (DKG) scheme. It provides a more scalable, cheaper, more user-friendly and privacy-preserving alternative to current multisig solutions. This protocol is particularly designed for scenarios with a large number of signers, ensuring both efficiency and signer anonymity.

Grant level

• Level 1: Up to $10,000, 2 approvals
• Level 2: Up to $30,000, 3 approvals
• Level 3: Unlimited, 5 approvals (for >$100k: Web3 Foundation Council approval)

Application Checklist

• The application template has been copied and aptly renamed (project_name.md).
• I have read the application guidelines.
• Payment details have been provided (Polkadot AssetHub (DOT, USDC & USDT) address in the application and bank details via email, if applicable).
• I am aware that, in order to receive a grant, I (and the entity I represent) have to successfully complete a KYC/KYB check.
• The software delivered for this grant will be released under an open-source license specified in the application.
• The initial PR contains only one commit (squash and force-push if needed).
• The grant will only be announced once the first milestone has been accepted (see the announcement guidelines).
• I prefer the discussion of this application to take place in a private Element/Matrix channel. My username is: @_______:matrix.org (change the homeserver if you use a different one)

[Fiono11]

This application is a modified version of #2225, based on feedback received from @burdges.

[burdges]

Olaf sounds reasonable. Any comment @elizabeth-crites ?

[burdges]

SimplePedPop sounds fine. I never looked at PedPoP really, only the original Pedersen DKG. Again any comment @elizabeth-crites?

We'd simply output a hash for the equality check algorithm, so then the user must handle the final abort if that fails?

[burdges]

Ahh SimplePedPoP does not encapsulate encrypting the key shares. Does PedPoP do so?

I'll think about if there is a way to abstract this, but maybe SimplePedPoP works well for single user use cases.

[Fiono11]

PedPoP does not encapsulate encrypting key shares either. That is why they are implementing EncPedPop here, which is a wrapper around SimplPedPop. And they recommend it even for applications that support secure channels, due to its low overhead. Should we do the same?

[burdges]

It adds an extra round because you must know to whom you encrypt. As EncPedPop is a wrapper around SimplePedPoP then I'd say do SimplePedPoP first, and we can think about the wrapper later. It'll maybe require cleaning up the aead module, so no reason to block anything: https://github.com/w3f/schnorrkel/blob/master/src/aead.rs

[burdges]

This could take a &impl Transcript too, which'll add entropy. It's only immutable though, so no transcript modifications, and ignoring it is harmless.

[burdges]

This'll take signer_nonces: SigningNonces, not the borrow.

SigningNonces should be opaque, not be Clone, and not support any form of serialization, but they could be #[repr(transparent)] so that unsafe code can access the contents.

This makes SigningNonces a "linear type" or "session type", in that it cannot be used twice.

[burdges]

I suppose SecretPackage could be a session type too, but maybe not so important.

[burdges]

It's fine.

I'm kinda tempted to have signers field indices be arbitrary: Imagine 5 senior key holders run the DKG with a threshold of 4, but create an additional 2 or 3 shares which they delegate to junior key holders. If done simply then junior key holders would know how many senior key holders exist, but this could be hidden from them in various ways. This permits creating a threshold key where juniors do not knows how many key holders exist, which maybe useful for operational security. This is probably way overkill.

[Fiono11]

Yes, probably. Maybe leave it for a future iteration, if there is demand for it?

[burdges]

Yeah I realized after that this brings in considerable complexity. In principlem, there are benefits to using random indices, again for opsec, but this again requires an extra rounds. Let's omit for now.

[burdges]

All looks good to me. We'll have @elizabeth-crites make some comment too.

[semuelle]

In the meantime, could you (@Fiono11) fill out the KYC form (assuming you are applying as an individual, otherwise please use this form)?

[Fiono11]

In the meantime, could you (@Fiono11) fill out the KYC form (assuming you are applying as an individual, otherwise please use this form)?

Done!

[burdges]

Amusingly @elizabeth-crites and I have not actually figured out if we like the delinearization in 1 or the delinearization in 2,3.

There is some malleability in 2,3 but we've not found any mechanism for abuse yet.

[Fiono11]

Amusingly @elizabeth-crites and I have not actually figured out if we like the delinearization in 1 or the delinearization in 2,3.

There is some malleability in 2,3 but we've not found any mechanism for abuse yet.

Just noticed that step 2 of the FROST signing protocol in this document is actually wrongly described, since in the FROST3 optimization the Coordinator does not broadcast all nonce commitments but the multiplication of the nonce commitments.

Are you suggesting to implement Sparkle instead of FROST?

[burdges]

Isn't Sparkle 3 round? No not some three round one.

We'll stick with SimplePedPop because it's what serious folk like Tim picked, so other code exists for comparison.

We'll stick with Olaf because really nobody knows exploits for the malleability during signing.

All Approve this now.

[burdges]

$5,000 is too little money for this. Increase it to $10,000. We'll add a third reviewer.

Add me on element: @jeff:web3.foundation and I'll help talk you through some of the schnorrkel code whenever you need help. In particular, there are already DLEQ proofs which work with more than two point pairs, which matye useful.

https://github.com/w3f/schnorrkel/blob/master/src/vrf.rs#L627

https://github.com/w3f/schnorrkel/blob/master/src/vrf.rs#L430

[Fiono11]

Thank you! I am really excited to work on this project!

[takahser]

@Fiono11 thx for applying again with this improved proposal.
Pls adjust to lvl 2. Other than that, I think it's good to go. 👍

[github-actions]

Congratulations and welcome to the Web3 Foundation Grants Program! Please refer to our Milestone Delivery repository for instructions on how to submit milestones and invoices, our FAQ for frequently asked questions and the support section of our README for more ways to find answers to your questions.

Before you start, take a moment to read through our announcement guidelines for all communications related to the grant or make them known to the right person in your organisation. In particular, please don't announce the grant publicly before at least the first milestone of your project has been approved. At that point or shortly before, you can get in touch with us at grantsPR@web3.foundation and we'll be happy to collaborate on an announcement about the work you’re doing.

Lastly, please remember to let us know in case you run into any delays or deviate from the deliverables in your application. You can either leave a comment here or directly request to amend your application via PR. We wish you luck with your project! 🚀

[burdges]

The work is basically done, and we should pay him. It'll be merged as w3f/schnorrkel#110

I've cleaned up a few minor things, primarily the clones and serializations that define the FRO part of FROST, and make sense for hardware signers, but looks really dangerous if used in pure software like Vault. I've some build stuff to clean up, but no reason not to go ahead and pay him.

[semuelle]

Thanks, @burdges!

Please submit your milestone(s) as per https://github.com/w3f/Grant-Milestone-Delivery, @Fiono11, so we can finish the evaluation and initiate the payment.

[RouvenP]

hi @Fiono11 we just settled the payment. Apologies for the delay!