Lib.rs

Cryptography
#threshold-signature #signature-scheme #schnorr-signature #frost

bin+lib wsts

Weighted Schnorr Threshold Signatures, based on FROST

by Joey Yandle

14 releases (8 major breaking)

9.0.0 Mar 25, 2024
8.1.0 Feb 15, 2024
7.0.0 Jan 19, 2024
6.1.0 Jan 12, 2024
1.2.0 Jun 2, 2023

#153 in Cryptography

Download history 262/week @ 2023-12-21 213/week @ 2023-12-28 223/week @ 2024-01-04 205/week @ 2024-01-11 711/week @ 2024-01-18 1321/week @ 2024-01-25 1742/week @ 2024-02-01 1459/week @ 2024-02-08 869/week @ 2024-02-15 690/week @ 2024-02-22 1842/week @ 2024-02-29 955/week @ 2024-03-07 1036/week @ 2024-03-14 676/week @ 2024-03-21 594/week @ 2024-03-28 662/week @ 2024-04-04

3,134 downloads per month
Used in 10 crates (3 directly)

Apache-2.0

330KB
7.5K SLoC

WSTS

ci crates.io

WSTS is a system for making Weighted Schnorr Threshold Signatures, aka WileyProofs. It allows a group of signers, each of whom controls a set of keys, to make a valid Schnorr signature, as long as T (the threshold) of them complete the protocol honestly. While there are many other threshold signature schemes, WSTS has several features which make it particularly useful in a cryptocurrency context.

First, it is optimized for a small number of rounds in the common case where there are no byzantine actors present. Since the protocol allows detection any bad actors in the system, it makes sense to optimize for the case where there are none. Such byzantine actors can be sanctioned in a way that severely disincentivezes attempts to subvert the protocol.

Second, in contrast to typical multisig protocols, WSTS produces a single aggregate signature which is indistinguisable from a standard Schnorr signature. Crucially, this signature can be verified the same way as any Schnorr signature. And since the signature is aggregated, it does not take any more space on chain than any other standard signature, and linearly less than traditional multisig signatures.

Finally, WSTS is designed to build aggregate threshold signatures which are weighted, i.e. not all signers control the same number of keys. The threshold is a function of keys, so a set of signers meets the threshold if and only if the sum of the number of keys they control equals or exceeds the threshold.

Background

WSTS is based on FROST, i.e. Flexible Round-Optimized Schnorr Threshold signatures. FROST provides a system where a number of parties, each of which controls a single key, can form an aggregate group signing key, after which a threshold number of them can cooperate to form a valid Schnorr signature.

Variants

This crate provides a simple implementation of WSTS in the v1 module, which is an extension of FROST where each signer controls a set of parties, each of which controls a single key.

This crate also contains a more complex version of WSTS optimized for the weighted threshold scenario in the v2 module. Like vanilla FROST, v2 keeps a single polynomial and nonce for each Party, but allows each Party to control multiple keys. This allows for order-of-magnitude reductions in data size and number of messages for the distributed key generation (DKG) and signing parts of the protocol.

p256k1

This crate uses the Bitcoin secp256k1 curve. But since the C libsecp256k1 library only provides high level interfaces for operations used by Bitcoin, it was necessary to directly expose the scalars and curve points to allow arbitrary mathematical operations outside of sign/verify. So we provide a wrapper crate around libsecp256k1 which wraps the internal interfaces to scalars and points. We call this crate p256k1, to denote that it is not only the same curve as secp256k1, but also exposes the curve directly.

Documentation

Dependencies

~17MB
~255K SLoC