Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support frost-secp256k1-evm (frost-secp256k1 with keccak256) #715

Open
StackOverflowExcept1on opened this issue Aug 7, 2024 · 0 comments · May be fixed by #749
Open

Support frost-secp256k1-evm (frost-secp256k1 with keccak256) #715

StackOverflowExcept1on opened this issue Aug 7, 2024 · 0 comments · May be fixed by #749

Comments

@StackOverflowExcept1on
Copy link
Contributor

Similar to frost-secp256k1-tr, we could add frost-secp256k1-evm. The idea is to simply replace sha256 with keccak256. In this case, we can implement frost threshold signature verification in smart contract. I checked the cost of frost-secp256k1-sha256 verification on Ethereum and it costs about 8000 gas ($0.08 for low gas and, for example, $0.8 for high gas). If you provide an implementation with keccak256, the cost will be even lower.

A few details on how to do verification in smart contract:

pub(crate) fn verify_prehashed(
&self,
challenge: Challenge<C>,
signature: &Signature<C>,
) -> Result<(), Error<C>> {
// Verify check is h * ( - z * B + R + c * A) == 0
// h * ( z * B - c * A - R) == 0
//
// where h is the cofactor
let zB = C::Group::generator() * signature.z;
let cA = self.element.0 * challenge.0;
let check = (zB - cA - signature.R) * C::Group::cofactor();
if check == C::Group::identity() {
Ok(())
} else {
Err(Error::InvalidSignature)
}
}

So, as you can see we need to check that zG - cA == signature.R. This can be cheaply calculated using ecrecover function in Ethereum. The only thing is that instead of point on curve, the result is an Ethereum address, but this is not a big problem. It is enough to calculate the address for signature.R and compare it with result of ecrecover. An example of implementation is given here: https://github.com/chronicleprotocol/scribe/blob/main/src/libs/LibSchnorr.sol

Thus, FROST in smart contracts opens up the possibility of creating DAO, oracles and other protocols where threshold signatures may be needed. The only drawback is the interactivity of the FROST protocol.

@mpguerra mpguerra moved this to New in FROST Aug 8, 2024
@StackOverflowExcept1on StackOverflowExcept1on linked a pull request Oct 8, 2024 that will close this issue
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Product Backlog
Development

Successfully merging a pull request may close this issue.

1 participant