Open chris-wood opened 2 years ago
Hey! Thanks for reaching out. The implementation in this crate was originally an experiment, and we haven't followed through on it. Most of our effort has gone into the higher-level task of figuring out how we want to use and integrate FROST into a custody solution (called Narsil, and described here: https://github.com/penumbra-zone/penumbra/issues/2219).
We haven't yet decided whether to select an existing FROST implementation or whether to develop this stub implementation. In any case, we'd like to align with the CFRG specs, even if our construction isn't actually specified in the document.
One other requirement we have that's different from the CFRG's situation is the need for randomization: we need our signatures to be made with randomizations of the signing key, which will mean threading the randomizer through the FROST protocol. (This is also a requirement for FROST as used in Zcash -- I'm not sure what the status is there, but maybe @dconnolly or @chelseakomlo is up to date on it).
we need our signatures to be made with randomizations of the signing key, which will mean threading the randomizer through the FROST protocol
We have an implementation of this ready to go (frost-rerandomized
) and specified over as draft ZIP 312: https://github.com/zcash/zips/pull/662
The CFRG is currently working to specify an interoperable version FROST. As this project implements FROST as the threshold Schnorr signature variant, I'm curious to know if there's interest in aligning the implementation with the specification. This issue tracks that interest (or lack thereof). Note that there's currently no ciphersuite for decaf377, though perhaps that could be added if it's useful?