Never heard of Frostsnap! Amazing and beautiful idea for setup of FROST threshold signatures. https://frostsnap.com/demo.mp4 https://frostsnap.com
Login to reply
Replies (6)
nostr:npub1j8d6h8mzvc8f2fvysrf09nlkmn7m2ylj32zl5na4tm5e8fd5dqysrg26k2 This looks amazing. But why do you have to select which two signers to sign with at 1:34 in the clip? On the next screen, the app seems to automatically identify which of the two devices you plugged in.
Great question! One of the (extremely few) downsides with FROST is that you have to choose which signers will be participating at the start of the signing session.
The signing quorum signs under an agreed set of nonces belonging to the signing participants:
In this case, {nonce from device "Stay", nonce from device "Frosty"}
and you can't change this halfway though the signing session.
You elude an interesting idea though, the app could auto-detect at least the first signer and only make you select the other t-1 signers.
Ok, understood! Thanks for reply.
So after you've plugged in the first signer, you could for a k-of-t setup try each possible set of k signers and for each set that includes the plugged in signer, you show the possible cosigners. Is that what you're suggesting?
Couldn't you instead just sign all possible sets with the first plugged-in device, then plug in the next and filter out the sets of k signers further, and so on until there's only one such set left after the last device is plugged in? Is there danger in signing frivolously like this? They all sign the same message (i.e. a bitcoin input), right?
You could plug in multiple signers, but it is best practice to only sign on one device at a time. Have them geographically separated or in the hands of different people. Otherwise if you bring a threshold number together, you're vulnerable to wrench attacks!
Running multiple signing sessions in parallel with different combinations of signers is an interesting idea that people have discussed to alleviate this "choice of signer problem" (it's actually not much of a problem, just a difference to existing multisig).
It does grow if you have a large group, for t-of-n,
(n-1)! / ((t-1)! * (n - t)!)
Possible combinations after the first signer.
Only 6 combinations for a 3-of-5.
But 126 combinations for a 5-of-10.
No danger of signing frivolously, but will take up some extra space and consume nonces. But tbh it's definitely doable
Thanks for elaborating! Yeah, the number of signatures explodes quickly but for most common use case (2-of-3) it makes sense.