FROST (Flexible Round-Optimized Schnorr Threshold Signatures)

FROST (Flexible Round-Optimized Schnorr Threshold Signatures) is a threshold signature scheme that lets a group produce one valid Schnorr signature without any participant holding the full private key.

How It Works

FROST enables T-of-N signing. Any threshold set of participants can cooperate to produce a signature for the group’s public key.

The signing protocol uses two rounds:

1. Commitment Round: Each participant generates and shares cryptographic commitments
2. Signature Round: Participants combine their partial signatures into a final aggregate signature

The final output verifies like an ordinary Schnorr signature. Verifiers see one signature under one public key, not a list of cosigners.

Security Notes

Nonce handling is critical. The RFC is explicit that signing nonces are one-time use. Reuse can leak key material.

The RFC also does not standardize distributed key generation. It specifies the signing protocol itself and includes trusted-dealer key generation only as an appendix. In practice, the safety of a FROST deployment depends on both the signing flow and how shares were created and stored.

Use Cases in Nostr

In the context of Nostr, FROST can support:

• Quorum Governance: Groups can share an nsec through T-of-N schemes, where members can represent themselves or delegate to councils
• Multi-sig Administration: Community moderation requiring multiple admin signatures
• Decentralized Key Management: Distributing trust across multiple parties for critical operations

Status

FROST is specified in RFC 9591, published on the IRTF stream in June 2024. That gives the protocol a stable public specification, but it is not an IETF standards-track RFC.

Primary sources:

• RFC 9591: FROST Protocol
• FROST Paper (IACR)
• Zcash Foundation Rust Implementation

Mentioned in:

• Newsletter #3: NIPs Repository
• Newsletter #8
• Newsletter #10

See also:

• NIP-46: Nostr Connect
• NIP-55: Android Signer Application