FROST Brings Secure, Scalable Threshold Signatures to the EVM

In this post, we explore scaling signers for smart accounts to arbitrarily large thresholds and group sizes without increasing gas costs. It builds on the FROST signature scheme originally published in 2020, providing a multi-signature signing scheme that is both safer than traditional Schnorr based threshold signatures, and 95% more gas efficient than pairing based threshold signatures. The post comes with a repository with a Solidity FROST signature verifier implementation and some example use cases. this output is from the Safe Research team, a newly formed research initiative at Safe dedicated to advancing secure and easy self custody.

Multi-signature wallets have been the workhorse for multi-party control, but have limitations when coordinating very large groups. Threshold signature cryptography that is compatible with the Ethereum Virtual Machine (EVM), such as Schnorr threshold signatures or pairing based threshold signatures , have existed for a while. However, these existing threshold schemes have known issues:

• Schnorr threshold signatures schemes generally suffer from lack of standardization and have some known forgery attacks in the context of concurrent signature generation

• Pairing based threshold signatures currently requires more than 100.000 gas to verify on-chain

The ZCash Foundation recently developed Flexible Round-Optimized Schnorr Threshold (FROST) signatures, a threshold signature scheme that both reduces network overhead for signing operations and employs novel techniques to protect against known forgery attacks applicable to similar Schnorr-based schemes. While the EVM does not have native support for these kinds of signatures, there are known techniques that allow their verification to be efficiently implemented in less than 6.000 gas (compare to the hundreds of thousands required for pairing based signatures).

A Robust Standard for Threshold Signatures

FROST offers a well-defined protocol for Schnorr-based threshold signatures. Spearheaded by the ZCash Foundation, it enables a subset of size of a larger group of size n to collaboratively produce a valid Schnorr signature for the group's public key, all without ever reconstructing the sensitive private key material in one place. Furthermore, the work required to verify a FROST signature is constant and does not increase with the total number of participants n or the signing threshold t. A 2-of-3 signature is exactly the same size, and costs exactly the same to verify on-chain as a 1,000,000-of-10,000,000 signature. FROST additionally improves on existing Schnorr-based threshold signature schemes:

• Peer-Reviewed: The protocol has undergone academic scrutiny, providing confidence in its cryptographic soundness.

• Comprehensive Specification: FROST goes beyond just the core signature math. The standard details communication rounds, data flows, and crucially, includes a compatible Distributed Key Generation (DKG) protocol for establishing the initial shared keys securely

• Enhanced Security: FROST explicitly addresses and mitigates known forgery attacks that could affect other similar Schnorr threshold constructions.

FROST Is Not a Smart Account Replacement

While FROST is a particularly useful cryptographic primitive, we do not believe it is a replacement for full-featured multi-signature smart accounts. In particular, while FROST does have mechanisms for refreshing shares, it does not restore full security to the group or allow increasing the threshold. In fact, refreshing doesn’t actually invalidate any of the old shares, and is just a mechanism where all participants agree to start using new ones going forward. While honest participants would destroy their old shares and ignore signatures from invalidated ones after a refresh, there are no cryptographic guarantees that old shares cannot be used to actually create a valid signature — the math continues to work. In some cases, the only way to actually restore full security to the group, would be to generate a whole new account with a new group public address.

For example, imagine a case where Alice, Mallory and Eve form a group where two out of the three are needed to create a signature. If at some point, Mallory would be replaced with Bob by refreshing shares, then it would still be possible for Eve to collude with Mallory to form a valid signature if Eve would maliciously keep their old pre-refresh share around.

Additionally, smart accounts in general have many useful features that go much beyond multi-signature authorization such as:

• Fine-grained owner management, including the ability to add/remove owners and change the threshold

  without restriction

• Additional rules and policies that are enforced on-chain such as spending limits, and roles-based access

• Alternative authorization mechanisms such as session keys and account recovery

We consider FROST signatures a powerful, specialized cryptographic tool for validating threshold signatures efficiently, best suited for composing with other systems like Safe, rather than a standalone account management solution.

Integration with the Safe Smart Account

We, at Safe Research, have developed an efficient FROST signature verification implementation for the secp256k1 — Ethereum’s native curve — ciphersuite, enabling efficient FROST signature verification on the EVM. However, since Schnorr signatures are not natively supported by the EVM, smart accounts are still needed in order to bring FROST signature authentication and authorization to Ethereum. Our implementation includes two integrations with the Safe smart account, and an additional EIP-7702 smart account implementation:

1. As a Safe owner: enabling a FROST group to directly authenticate Safe transactions. Signatures generated off-chain by the required threshold of participants, and can either serve as the sole or an additional authorization method for executing transactions from a Safe. This allows for complex, potentially large-scale signing logic off-chain while keeping the on-chain signature verification costs minimal. This can be leveraged by applications needing approvals from potentially hundreds or thousands of signatures from a defined set of known signers, such as DAOs without vote weighting, decentralized oracles or bridge validator sets updating their state root.

2. Layered Security via Co-Signing: enabling a FROST group to act as an additional security layer, whereby a security council needs to approve all transactions before they can execute. Because of the scaling properties of FROST signatures, this would even work for very large security councils where representing them as traditional multi-signature smart accounts would be infeasible, and enables a decentralized co-signer network for Safe transactions.

3. Multi-signature Support for an EOA with EIP-7702: upgrade an externally owned account (EOA) to support a multi-signature authorisation of ERC-4337 user operations. FROST allows you to split your already existing Ethereum private key into shares, essentially transforming it into a multi-signature FROST account. Users can then transact on behalf of their EOA with only the key shares. A working example of this can be found in the aforementioned repository.

Conclusion

FROST delivers standardized, secure, and highly efficient threshold signature scheme that is compatible with the EVM. While it complements rather than replaces the versatile owner management and features of smart accounts like Safe, its constant signature size and low verification gas costs make it a great solution for scaling threshold signatures from a small handful to hundreds or even thousands of signers.

Standardized, secure, and gas-efficient threshold signature verification is available on Ethereum now. This development opens new design spaces for decentralized applications and offers powerful enhancements for existing systems.

Take our FROST implementation for a spin, and show us what interesting projects you can build with it!