Nick Farrow joins me to talk about new developments coming in Bitcoin multi-signature security:
- FROST and what it is
- Privacy benefits
- Downsides of FROST e.g interactivity, complexity
- ROAST – what it is
- How hardware and software might have to change to adapt
- The future of multi sig
- Site: utxo.club
- Twitter: @utxoclub
- FROST paper https://eprint.iacr.org/2020/852.pdf
- ROAST paper https://eprint.iacr.org/2022/550.pdf
Stephan Livera links:
Stephan Livera 00:00:00
Nick, welcome to the show.
Nick Farrow 00:00:02
Thank you very much, Stephan, very much looking forward to it.
Stephan Livera 00:00:05
So Nick, I know you’ve been working on a bunch of different things in space and recently a big focus in your work has been around all this stuff and we’re gonna break it down today. Try to keep it accessible for everybody around frost and roast and MultiSig and Nostra. And what does it all mean, right? So yeah, do you want to just, I guess give us a little bit of a high level. For people who don’t know you, what’s your main focus? You know, in development and stuff now.
Nick Farrow 00:00:31
Yeah, for sure. Maybe I’ll start with a bit of a funny story. I first ran into Stephan at a Bitcoin Bush bash in Beechworth.
Stephan Livera 00:00:38
I remember Mel.
Nick Farrow 00:00:40
Feature Earth and that was my. That was my first sort of exposure to a Bitcoin event actually. And Wizard of Oz sort of convinced me. Well, I proposed the idea to. I could present this payment processor SAT sale.
Nick Farrow 00:00:53
They’ve been tinkering with and so I got up at beach worth and was like, oh, this is the best thing ever. It was really a piece of crap at the time. And I think you sort of caught on to that.
Nick Farrow 00:01:02
I was sort of talking a bit talking badly about other payment processes and talking upset sale a bit, which is really just, you know, a really crappy HTML button that you just spit out addresses. But yeah, that was awesome to meet you there. And some really good that I. Decided to do that.
Nick Farrow 00:01:21
That’s How I Met the people I’m working with at the moment. So yeah, so at the moment I’m working with frost. So Frost is sort of what I like to call the next generation of Bitcoin multi signatures and it uses the taproot upgrade that Bitcoin had quite recently. And yeah, it’s a lot of really exciting user experience in terms of multi signatures. Coming along pretty soon.
Stephan Livera 00:01:47
And so can you break some of this down for us, right? Like so as you know, multi SIG exists today, right that there’s like, you know I think it used to be OP check multi SIG and now it’s OP check SIG. But if you could just tell us a l ittle bit about what’s the difference now with frost and what kinds of you know, if you could just start? With that, yeah.
Nick Farrow 00:02:08
So yeah, like you say, Stephan, we do have multi signatures in Bitcoin already. So you can think of multi signature like you need multiple keys in order to spend some Bitcoin and more signatures are really helpful as you can. Do a three. Told so say you have 3 keys.
Nick Farrow 00:02:28
You might need two out of those three keys in order to spend that Bitcoin and this is all customizable to whatever setup you like. So I like to think of script multi SIG which is a bit the multi sigs we currently have in Bitcoin a bit like. And individual locks or a whole bunch of smaller locks comprising a much bigger lock and you can you can customize that threshold so it could be a three of five or a five of eight or a two of three.
Nick Farrow 00:02:59
What have you really like. So that’s good multi SIG. Think of it like, yeah. Smaller locks comprising a bigger lock frost, on the other hand, it’s just really just one lock, and instead of having multiple smaller locks comprising that one lock, you have a key that is fragmented or shared amongst a group of people. And the cool thing about frost is you can still have this. Threshold T of N so yeah, three of five, five of eight, whatever you like. But instead of running in Bitcoin script, Frost is entirely done through mathematics and it gets to its threshold nature from mathematics. So that’s the big difference between what we have at the moment, script multisig or sometimes referred to as legacy multisig and frost, which is coming soon.
Stephan Livera 00:03:53
And so could you also spell out, is there any relation here with some of the music to stuff?
Nick Farrow 00:03:59
So music is also uses Schnorr signatures, so tuck that have been enabled through the bitcoins taproot.
Cried music is specifically NN, so two of two, three of three, five of five, you can’t do the threshold now music because of this music is more applicable to things like lightning channels where you’re only really doing a two of two where. It’s frost because you can do this threshold thing. It’s better for your own self custody or protecting Bitcoin in a in an organization or a business.
Stephan Livera 00:04:37
And so as I understand with some of this, there are some benefits and some costs here, right? Or some downsides? So presumably one of them is around privacy that we’re trying to make multi SIG look just the same as single SIG. As I understand that’s one of the benefits.
Nick Farrow 00:04:55
Yeah, that’s probably my favorite one. One of my favorite things about Frost is that you have this because it’s a single lock. It looks like a single signature spend on chain, so it looks identical to any other single tap root key spend on chain. Any other pay two tap root. End a frost transaction or a frost a transaction that’s signed using Frost can look the same, and that’s in stark contrast to multi SIG as we have it today. Correct multi SIG is actually is really terrible privacy. You can go on mempool dot space and you know click through some transactions.
Nick Farrow 00:05:37
You’ll eventually run across some multi signature. And that multi signature, it’ll tell you whether it’s a three or five or a five of eight, whatever it is. Because when you spend those UT XO’s, you reveal the script to everyone and everyone can just read or how many keys there are, there’s a really interesting article I really found really this, l Like it blew my mind when I first read this, someone analyzed the withdrawal addresses for Bitmex and in 2019 when one of the Bitmex executives got arrest. Did they were able to use it like comparing the timing of which keys were signing and which executives were in custody? This researcher was able to figure out like which executives were holding which keys to the multi SIG and when they were signing and that’s like extremely terrifying. If you’re running, you know. A billion exchange withdrawals daily. It’s pretty crazy.
Stephan Livera 00:06:37
And so, I guess as you’re saying this. In a frost context then you know you could remove some of that. Now I understand some of the downsides here with some of this stuff. Could it be that there’s more interactivity required or there’s more complexity? Can you explain some of that for us? Like, what are some of the downsides of using frost?
Nick Farrow 00:06:59
Yeah. So, one of them that’s a direct flow on from the improved privacy is that frost alone has actually, worse accountability. So, you can’t sort of say, I know you signed, and you signed.
Stephan Livera 00:07:11
Nick Farrow 00:07:12
Because it’s very private. So, in some settings, we believe there is some modifications you can make to frost to make it more accountable to those within the multi SIG. While it’s still appearing highly private to outsiders. In terms of other complexities with running frost, because it is entirely this off chain protocol done with mathematics. You have to there’s a bit more communication involved and so before frost, there have been other thresholds, Schnorr signature schemes, but they would often take many, many rounds of communication.
Nick Farrow 00:07:52
So, say we wanted to do sign something together. We might have to send messages back and forth, you know, three or four times. And so, frost in its name is flexible, round, optimized Schnorr threshold signatures. There’s a lot in there, but the round optimized means that you can actually do frost signing in a single round with some conditions. So, we have to in frost. You have to agree upon an annoyance to use like with standard shore signatures we have to every time we want to sign, we want to use a unique and with what we can do to make it round optimized is we can share a whole bunch of * upfront and then every time we go to sign we just sort of pick the next set of in the list.
Nick Farrow 00:08:41
And we’re already ready to go ready to sign so that that’s where the. Surround optimized part comes from is that we. And by pre sharing these nonsense upfront, we can actually smash out these siding grounds in a single round, which is a very nice feature, especially if you’re using something like a hardware wallet. So, you don’t want to be carrying around an SD card from your computer to hardware wallet to hardware wallet like you don’t have to do that.
Stephan Livera 00:09:08
That whole dance multiple, right?
Nick Farrow 00:09:08
The process, like three times. And maybe in maybe in a particular order as well. So, it’s cool that with frost you can do single round signing.
Stephan Livera 00:09:19
I see. So yeah, I think that was one of the main things that was, let’s say, a downside of when people were talking about music as an example, because of the interactivity, it maybe it wasn’t the most practical choice for, let’s say, a Hodler who wants to use multi seek to secure his coins because then he’s going to have to go back and forth. And let’s say one of the hardware devices is in a vault somewhere. One is in like the family. Right, members home and one is somewhere else and you’re gonna have to go to these locations, not just one time to each location, but multiple times to each location and it just it just blows up the complexity and the practicality of using it which whereas you said it makes a lot of sense for lightning because these are out loud lightning nodes are already online, they’re already. Talking to each other, those round extra rounds aren’t such a big deal, but in the hardware device context, it’s very clunky, right?
Nick Farrow 00:10:08
It’s a whole lot worse. Or if, even if you’re in like a company or something, you know, you don’t have to. The signing process to take up like an hour of your executive time or something that would be a bit ridiculous. This you just want to be able to click, you know, click sign once and it’s signed.
Stephan Livera 00:10:22
So, let’s talk a little bit about how it works then. So can you are you able to give us a rough overview?
Nick Farrow 00:10:29
Yeah, let’s get into it. So, frost, it’s building block, it’s sort of Shamir secret sharing. So, if listeners are familiar with Shamir secret sharing. You essentially you take a secret. You want to split up into a whole bunch of fragments, and the way you do this is you create a polynomial and the constant term or the Y intercept in that polynomial is the secret that you want to share. And then generate random other terms for. For the rest of the polynomials, so your X term might 5X and then like 3 X squared and you Add all these polynomial terms and then you end up with this sort of random polynomial with your secret is the constant term and once you have this polynomial then you can start evaluating it at different positions like X = 1 X equals two, X = 3 and so on.
Nick Farrow 00:11:34
And your choice of the degree of the polynomial, so how whether it’s X squared or X to the five, this determines how many points you need to recover that initial secret and the way I like to think about this is. If you have, say, two dots on a on a piece of paper, just two random dots, there’s only one unique line you can draw between these two dots and that intersects the Y intercept would be your joint secret.
Nick Farrow 00:12:10
Now if you have three dots you can draw a unique quadratic between these three dots, and again the Y intercept would be your joint secret, so that that should be a secret. Have done an OK job of explaining that one. Essentially you take a joint secret and you split it up into a whole bit. Bunch of different points and in order to reconstruct that joint secret, you need to have some threshold number of points so that that’s sort of the foundation of from. But one problem with Shamir’s secret sharing is that, say you take a Bitcoin seed phrase, and you should be a secret. Share it into a whole bunch of different points. One problem with Shamir secret sharing is that if every time you want to use that seed phrase, you have to fully reconstruct it.
Nick Farrow 00:13:07
So it’s not like you can. You can sign with each individual fragment of the Schmid shared phrase. You have to fully reconstruct it, and then that’s where it gets risky, right? You’ve got your phrase in one place again.
Stephan Livera 00:13:22
Right, because you’re vulnerable in that moment, right? So if we compare it to, let’s say, multi SIG, and this is actually a reason why I think multisig is more practical for most people than Shamir’s secret sharing, because in a multi SIG context, you can have, let’s say your cold card, you can be taking the PSBT and signing in that location with just one hardware device, whereas in the Shamir secret sharing context, you are. Vulnerable in the moment that you have reconstituted the shards, because now you’ve got the full seed together. So, if the criminal kind of comes to you, then. You’re in trouble at that point, whereas in a multi seed context you could have the devices in different locations such that at no given point in time you are fully just vulnerable to a criminal coming and saying sign your keys over to me sign your coins.
Nick Farrow 00:14:05
Yeah, exactly right. And so, frost gets rid of this problem, which is really awesome. I won’t go too far into the frost key generation, but just to give a general idea, so to each party who wants to create a frost key who wants to be a part of the frost multi signature. We each create our own polynomial and essentially we add some combination of these polynomials. Together to have a joint polynomial, much like she means secret sharing and the really cool thing about this is that we by doing so, we’ve essentially got this.
Nick Farrow 00:14:45
Joint secret to a polynomial that none of us in the multi seek know, but together we have enough information to recover it and now we don’t actually want to ever recover this joint secret because like you said, we don’t want to reconstruct it and bring it back to one place or one device. So, what frost allows us to do is frost allows us to evaluate that polynomial so we can sign using it without actually having to reconstruct the secret, and so the way you do this is because each individual has their own polynomial they can sign with this individual polynomial I sign with my polynomial you sign with your polynomial and well, it’s really the just the constant term of the polynomial and then we add these combination of these partial signatures together. And we actually result in a signature that is valid for the joint polynomial.
Nick Farrow 00:15:58
So we each sign with our own little pieces, our own fragments of the key, and we’re able to sign under sort of this, this group public key, so that that that’s the power of frost is that you don’t have to. Actually reconstructs the secret itself. We can sign with fragments of the secret and then combine it at the end, and we have this signature that’s valid under the joint secret.
Stephan Livera 00:16:27
Let’s see. And so as I understand then it’s just, let’s say there’s more complexity at the initial setup, right? Let’s say you, me and one other person, then we do a two or three and we want to do frost multi, SIG. There’s just that initial, let’s say, sharing of those you mentioned the , because that’s what we’re going to use when we sign, not just the first time, but the second time, the third time, the 4th time. That’s the main extra complexity as I’m getting as I’m understanding you.
Nick Farrow 00:16:54
Yeah, that’s right. So, yeah, that’s really, it’s the key generation is 2 rounds. So, we create a frost multi signatures 2 rounds so we all each share a polynomial of our own and then we evaluate other peoples. Each other’s polynomials at different points and then we get each person results with a single point on a joint polynomial and then with signing. Yes, is so it’s usually 2 rounds, but you can optimize it to be one if you can decide upon which and which parties are going to be signing ahead of time.
00:17:40 Stephan Livera
I see. And so, as I’m understanding you, it’s like you’re saying, OK, this is early days, but let’s say in the future, at some point this kind of tech could be brought into the like of Electrohome Spectre, Sparrow, nunchuck, keeper, these kinds of multi SIG coordinator wallet and this might just be another way to coordinate your multi sig and actually use your multisig. Is that kind of how I’m understanding?
Nick Farrow 00:18:03
Yeah, absolutely. And it’s great that you bring up other wallets because that that’s something we’re actually gonna be looking to work with is, there already so many great wallets out there. We don’t want to be building, you know, a frost wallet from scratch is not something we want to be doing. So, we would really like to, yeah, integrate with this with. Ballots such as the Esparra nunchuck.
Nick Farrow 00:18:26
That would be the dream and then, you’re able to create frost keys across multiple devices and you can sign across multiple devices. Very similar signing experience to your existing script multi signature.
Stephan Livera 00:18:45
Let’s see. And so when it comes to the coordinator, so as an example, let’s just take Sparrow Wallet as an example, right? It’s a very common coordinator software. Call it So, are there any big wholesale changes required there or is it more just like this would be another option to use inside these coordinating apps?
Nick Farrow 00:19:04
That’s a good question. There’s it’s mostly communication. So, it’s mostly what kinds of messages are sent between frost keys or frost devices. So, you have this coordinator said Sparrow. We’ll have to program into Sparrow all these different types of frost messages and how to send this data back and forth between? Definitely keeping track of nonsense will be a a very important thing as well, because you have to make it’s vital, like with regulation or signatures that you never re reuse it once. If you reuse the *, you leak your secret and that’s exactly the same with frost sSo, to be very important that these wallets have a quite a intelligent way of choosing which not what nonsense to use next for the next signing round.
Stephan Livera 00:20:01
I see. So, I think probably I’m thinking of nunchuck, where they have, let’s say, a bit of an interface for chatting with your multi SIG counterparties or you know, fellow multisig people in that same quorum. And so, I guess what we’re talking about here is the coordinator app has to be smart quote UN quote, smart enough to talk with the other users to say OK, here are the nonsense, don’t use this one that kind of thing, right? Or it has to be smart enough to help coordinate this setup, right? Because today we could, as an example with Sparrow or Spectre or something like this I could say hey Nick, give me your ex. So you’ll give me your multi SIG X pub and I’m going to. You know I’m going to generate a multi SIG.
Or I’m on my computer. Let’s say we get a third person let’s you know Catan, right? Take a time. We’re doing a two or three multisig. I could say, hey, Nick, give me your multisig X Pub and Catan. Give me a multi SIG X pub. I’ll create it here and then I’ll export that you know the register, your multisig quorum file. Back to you that’s kind of how it would work in today’s let’s call it legacy or script multi seek. But in a frost context that might need some more. You know, where is it middleware or some way for these? Pieces of software to talk to each other and kind of share that information that’s needed, right?
Nick Farrow 00:21:14
Yeah, absolutely. So, yeah, that’s a really good point. Is that, yeah, this frost key generations, it involves the sharing of polynomials and evaluations of these polynomials. It will need its own sort of specification for how to sort of share these this stuff and these messages so that each wallet can hopefully understand the right types of formats and things.
Stephan Livera 00:21:37
Gotcha. And then let’s say I’ve got nunchuck and you’ve got Sparrow and Catan’s got Spectre. You know, they would still. Need to all be able to, you know, correctly speak to each other, right? Because I guess that’s the other big trade off, right? Because we were talking about this, but I think put it this way, legacy multi SIG is non interactive in itself. Up mostly whereas this is, let’s say it’s interactive in the initial setup step and I guess does that also mean we have to be really careful about not leaking these right? Like you would want to keep them offline?
Nick Farrow 00:22:09
You want to keep the sick, the non secret. Yeah, the one that you’re signing with for sure. I think I might have mentioned before, but the devices themselves or the users themselves should. To have software barriers to prevent for use, so we shouldn’t rely on the coordinator to tell us, you know, use these *. We also want the devices themselves to reject, say I’ve already signed with that get lost. You’ve come back asking within a new non. So, they haven’t used.
Stephan Livera 00:22:40
Yeah, that’s a good point because I remember Stefan Snegirev, who was a early contributor with. Inspector wrote and spoke about this kind of idea of how could I make a multi SIG or make a setup that works even if my coordinator is evil? Right?. And that’s kind of relying on the hardware device being able to correctly understand as an example this change address belongs to me or no it doesn’t. It’s a malicious change address. It’s a change attack, right? that kind of now, over the years, the multi SIG. Technology and hardware have evolved and you know improved to that level and now there are techniques and things being done like registering your multi seed quorum instead of being stateless and not understanding that. So that’s a quick simple, but this is like a whole new paradigm that would have to be kind of incorporated not just into the coordinator software, but also into our hardware devices. So, do you want to just tell us a little bit about what? About what that would look like as a, you know, a frost hardware signing device?
Nick Farrow 00:23:37
Yeah, yeah, absolutely. Just one thing on the on the ex pubs like you raised a really good point about Frost being more interactive and required because like with no script multi site, you just need to write.
Like on the list of Xbox. One downside to that is that if you can’t lose any of those ex pubs and this was something that sort of really blew my mind when I first heard about this, I was like, that can’t be true is that is that real? But in order to spend from a script multisig, you need to know every single ex. Pub so that you can recreate the redeem script and actually unlock that. UTXO, whereas with frost this this won’t be an issue, so that that’s a sort of a nice a nice feature of frost is that.
Stephan Livera 00:24:22
that’s a good point. OK yeah so put it this way. In multisig today or legacy multi SIG or script multisig today it’s very important that you keep a backup of the output descriptor and that’s something I often talk about. I’m saying, hey, make sure you keep that output descriptor backup, keep it in multiple places. You know, because you need that in in a multi seed context, right? It’s not like in single signature you’re in another world. Now you need to think about that piece. It multi seek is better but this is one piece of additional complexity. So, in a frost world that’s at least one thing you can take away, so that’s actually useful.
Nick Farrow 00:24:52
Yeah, single X pub. Just back up that single X pub and then you can back up each secret share.
Stephan Livera 00:24:58
Right. So, in this example each user would have his own, let’s say metal seed backup for his, you know, cold card or whatever device you’re using, right?
Nick Farrow 00:25:04
Yeah, exactly. Backups is an interesting one. Well, let’s get back into that in a little bit. So yeah, hardware devices. So yeah, hardware devices is something that we’re actually experimenting with at the moment. And the way we when I say we, this is Lloyd Fournier and Adam, Mother Storm on Twitter. The way we vision these frost hardware devices working is that so you have your coordinator, so it might be Sparrow on a laptop and then you’d have a frost hardware device and you would plug that frost hardware device into your laptop and then you would get a second frost device. And plug that into the first frost device and you sort of make this chain of frost devices all connected one into each other. You wanna do a three, three or five? To do key Gen you could plug all five devices into sort of the backs of one another, and this Daisy chain and then you get the laptop to say let’s do Keygen.
Nick Farrow 00:26:10
The laptop sends a message down the chain of devices and on each device you can verify that it has the same view. Of all the other device. And once you look at each device, you check, they’ll look the same. You go down the line, sort of clicking an OK button, and then you’ve got a frost key. From then on, you can unplug all the devices and geographically distribute them or you know, give one to each say member of your business or company then whenever you want to sign from then on you can sign with one device at a time, so you could have your laptop coordinator again. Plug 1 device in sign, unplug that device, plug a second device in sign. And until you do it, you’re 3 out of five. You could also plug a threshold number of devices into one another again, and sign all at once, but that that sort of gets, yeah, it gets back to that thing where, you know all your keys are in one place.
Stephan Livera 00:27:06
Kind of defeats the purpose.
Nick Farrow 00:27:11
It’s it might be cryptographically secure, but the physical. Nature of bringing all the cases together is sort of the sketchy part.
Stephan Livera 00:27:20
OK. So, is it a like hardline requirement that all the devices have to be physically present for setup? So as an example? Well, let’s say you were in different countries, right? I’m in Dubai, I’m in the UAE now, let’s say you’re probably in Australia or somewhere like how would we do it then?
Nick Farrow 00:27:33
Yeah, that’s right.
Stephan Livera 00:27:36
Or can we do it then?
Nick Farrow 00:27:37
That’s a great question. So, yeah, I envision that you’ll be able to have coordinator software talking to each other remotely. So I could run Sparrow Sparrow Wallet or nunchuck on my laptop and you do the same on your laptop and we each plug our devices into our respective. Laptops and we could somehow link our coordinators so that they forward messages. Back and forth to one another and that way we can still create a frost multi signature remotely without having to physically connect all these devices into one another.
Stephan Livera 00:28:15
Let’s see, OK let’s talk about the backup’s aspect of it also. So you mentioned that earlier. Can you elaborate on the backups?
Nick Farrow 00:28:22
Yeah, so Lloyd doesn’t like seed phrases too much, and I sort of somewhat agree. Like they’re not the most, like, they’re very user friendly, but they’re also very hard to convince people of, like, their importance. People lose them all the time. People write them down wrong all the time, or they try and do clever things with them. All the time.
Nick Farrow 00:28:45
Heaps of mistakes are made all the time with frost seed phrases will, I think, will be sort of an optional thing. I would like to have them because bitcoiners want to have them and they’re what people are used to. It’s always nice to be able to, you know, you have your long lived frost key share or fragment. You might want to convert that into seed words that you can easily transport it or Protect it, but one of the really cool things about frost is that and we believe this to be true that the multi signature is quite malleable.
Nick Farrow 00:29:28
And when I say malleable, I’m using this in a non cryptography sense that you can add or remove signers to the multi SIG at a later date. And this is something you cannot do with current script multi signature so, if you’ve got a two of three with script multi signature and you lose one of the key and you’re down to you’ve only got your last two keys. Left, there’s no way for you. To add in a new participant and make. It a tour 4 and likewise, there’s no way to remove a participant.
Nick Farrow 00:30:09
So with frost, we don’t have any security proofs for it yet, but we believe it to be possible to not only add and remove signing signers, but also to change the threshold to increase or decrease the threshold and each of those comes with varying agreement requirements. So most of them will pretty much all of them you require at least the threshold number of parties to agree in order to change the number of signers.
Stephan Livera 00:30:40
So you would be able to change the quorum up or down in this context. So how would you change? So I’m curious then, would you need OK put it maybe this is like an inception question, but do you need a quorum? To change the quorum is that how it works?
Nick Farrow 00:30:54
Yeah, yeah, that’s depending on what you’re changing. We haven’t fully got to the bottom of it. All but say you. Have a three of five and you want to make it a three of six? You would need 3 parties to collaborate in order to add that six party, yeah.
Stephan Livera 00:31:09
Agree. Do that Gotcha. Or even to cut someone out. So let’s say you’re going from three to five, down to three or four, and someone’s getting cut out like you.
Nick Farrow 00:31:18
Stephan Livera 00:31:21
Know it’s the same kind of thing, right?
Nick Farrow 00:31:22
Right. And the reason that that’s OK is because. Is the security assumption of frost is that you don’t. You have tea threshold number of honest parties. So if you’ve already got three people who are willing to decrease the threshold and make it less secure then or kick out other signers, well then they could already steal the funds. Anyway, so it’s no less.
Stephan Livera 00:31:47
Yeah. Yeah, I think that’s that. That part’s kind of Fair. But I think for me, it’s more just a question of, you know, you would want to see the implementation has been out and battle tested out in the wild for some time before, you know, if I would, you know, I use. You know script multi SIG. Personally, I’m a big fan of it. I would be very reluctant to sort of change that setup unless I was very confident that it had been out there and tested for a while with you know multiple hardware multiple sets of software.
Nick Farrow 00:32:10
Stephan Livera 00:32:14
I think that’s also part of the reason for being so dogged about seeds.I think for a lot of this is because they’re focused on verifiability and being able to recreate things right, because if you put them into, if you put a bitcoiner into a, let’s say, let’s say seedless context or quote UN quote seedless, they’re now having to place a lot more trust in the software, the hardware, somebody else. Whereas if you have there 12 or 24 words, it just at least the way I’m seeing it, it’s more reproducible. It’s more verifiable. I sort of I know what’s happening. I can I don’t know. It’s also a familiarity thing, because let’s say I’m using called card or some other device and I’m doing dice rolls that, you know. Can it just kind of having that gives me a little bit more that I can do to make it verifiable and I think that’s why for me, I’m not a fan of the whole seedless style approach.
Nick Farrow 00:33:07
Yeah, that’s really good point. You can always take that seed and put it in like an off offline computer or another hardware device and verify it very easily independently. Verify that that’s reproducing the same the same private keys that you expect.
Stephan Livera 00:33:24
Right. The same seed or the same private keys? Exactly right. Because I wouldn’t want to just be kind of placing all my trust in the software, because, hey, it’s, you know, I don’t want to scare listeners, but this kind of thing has happened before in I believe 2019 or 2020, there was a malicious alert from Electrum. Now at the time, Electron was a very popular wallet for OG use. And there was a malicious alert and some users clicked it, downloaded it. Guess what? It was malware and there were users who lost coins out of that. So I think that kind of thinking, it can be very jarring and make it difficult for people to sort of place all their trust in one piece of software. It’s, you know, the way I view multisig, as you know, my friend Michael Flaxman explains it’s about fault tolerance, right? How can you set things up? In such a way that even if you made a catastrophic error, you still don’t lose your coins, right? Because maybe there was a supply chain risk or maybe there’s a problem in the cryptographic cryptography of how it was implemented in one of those devices. Or maybe it’s a problem in the secure element. Or maybe you know you’re keeping your devices in different locations. I think it’s all about having more fault tolerance, but being done in a way that’s you know. Reproducible, verifiable, et cetera. So that’s kind of for me.
Nick Farrow 00:34:33
Absolutely yes. Yeah, how I see the seedless versus, you know, maintaining seeds and that’s why I’m in the maintaining seeds camp personally.
Stephan Livera 00:34:40
But it’ll be interesting to see what way it develops.
Nick Farrow 00:34:44
So I do really like having the seeds is at.
Nick Farrow 00:34:48
Least an optional that you can you can always back up your frost key share to a seed and other ideas we have are sort of these NFC backups, so you might be able to like ride it to an NFC chip so you can easily load it up again. You could even have say 1 frost device that. You just much like a seed. You load up individual secret, you load up a secret share sign, wipe it, load up the next secret share sign, wipe it still. Probably not ideal if you if you would believe that device is compromised, but. It’s cool that you can do that. So yeah, NFC backup seeds, yeah.
Stephan Livera 00:35:24
Right. And you could maybe yeah, you could maybe argue. OK, I’m OK with, you know, for some people they may be OK with having one or two of the devices as NFC because I’m using multi SIG already, right. So there’s kind of a benefit of that?
Nick Farrow 00:35:37
Yeah, it’s moving the security away from trying to have a super secure single device to having this sort of distributed risk across multiple devices.
Stephan Livera 00:35:50
And of course, maybe the truly paranoid may say no, I want, I want a device with a screen and a, you know, for every single one of the devices in my quorum because I just, that’s just the security bar that they want to set or as a company, maybe there’s they’re just securing that much money that that’s the minimum threshold. But maybe for smaller businesses, smaller amounts it kind of makes sense to have thresholds. So maybe one of them has an NFC or something like this, where they’re doing that, and when it comes to the frost hardware signing device. Is there any put it this way? Is there any additional computational requirement on the hardware devices or would say a typical hardware device today have enough grunt, let’s say to do the processing?
Nick Farrow 00:36:30
They have enough Grun. It’s an interesting question. Frost does get computationally expensive when you start when the threshold is really high. So if you’re doing like a like, I don’t know, like a A50 of 100, it could take a few minutes, but I don’t even know. I don’t think anyone’s doing multi. Things of that size. But actually got a a funny comment I saw in GitHub a few months ago on so. Jesse Posner is one of the people who have a frost implementation in the works to Lib Secp, 256K1 and ZKP. And he in his PR, one of the guys from like the Wall Street bets subreddit left this comment asking like, is it possible to do a say 3,000,000 out of four million person frost faulty thing because they wanted to have this this sort of user. User decided investment fund whether users would vote on what they were gonna, you know, buy for the week or whatever at the moment, things like that are sort of computationally too intensive. It requires once you have a really big threshold, you have to do a whole bunch of elliptic curve multiplications, which are quite costly. But for the moment for doing. You know your personal or you know, anything up to. Yes, I’d say like around a 50 out of 100 you’re probably more than nothing to worry about with existing hardware abilities.
Stephan Livera 00:38:12
Yeah, I think it’s interesting because sometimes things get revealed in practice, right? So as an example, I’ve heard of cases. Where when people are signing, you know we’re talking here in a script multi seed context where they are signing a transaction with many utxo’s and they’ve got an older hardware device that’s part of that quorum. And so they’re sitting there and the device. Sometimes it takes, you know, 3 or 4 minutes to sign that transaction because there’s so many UTX OS and they’re multi SIG. It’s more complicated. And in some cases I’ve heard of situations where people had to break the transaction down into smaller outputs, right? Like literally retry the transaction with smaller outputs.
Nick Farrow 00:38:49
Well, like chunk, chunk it out.
Stephan Livera 00:38:52
Yeah, because it literally was not able to, you know, handle it because it maybe it was an older device like the original treasure device or something like this, right? So it might be a similar case where you know and you’ll never foresee every little you know Edge case of how some person tries to use it. Right, as you said in the Wall Street bets example where they might want to do some crazy 3,000,000 out of four. Same thing but yeah, I think potentially some benefits there for the companies or maybe people with a lot to secure and maybe they really want the privacy benefit out of it.
Nick Farrow 00:39:26
I wonder with that the this the slow multi signatures you just mentioned. I wonder if that is a symptom of it being a script multi signature. I’m not exactly sure, but perhaps because frost is not using Bitcoin script, it doesn’t have to do this sort of perhaps less. For each UTXO there might be less work. I’m not sure I’d have to look into it, but yeah, perhaps because you’re not using Bitcoin script, you could avoid some of this computational cost.
Stephan Livera 00:39:57
OK yeah, I’m I don’t know enough to be able to comment on it. OK so, we’ve spoken about Frost. What about so in? Terms of frost in terms of where is it? Where is it at today implementation wise cryptography wise? Is this all kind of like highly experimental or like where are we right now?
Nick Farrow 00:40:14
So the frost paper is proven secure. So that’s a great start. As I mentioned before, Jesse Posner has an implementation of frost in C and that I view that as sort of the more official implementation, the more robust one. It’s being fettered quite heavily by a whole bunch of people in in that GitHub pull request. Lloyd and I have our own frost implementation in the in his secp 256 K Fun library, which is a very fun in the name, and there’s sort of experimental cryptography library. So we have our first implementation in there and we’re we’ve been tinkering a whole bunch with it. Trying to make it really user friendly and be able to do really powerful stuff with it, so those are the two I know of. I have seen there are other non Bitcoin related frost implementations so there are frost implementations that work with. Elliptic curves that that Bitcoin doesn’t use and, and those are presumably being used for other old coin stuff for who knows what gotcha.
Stephan Livera 00:41:28
And so I guess the next things would be sort of advancing it forward, maybe looking at maybe you would try to lobby some of the hardware devices. Hey, can you please support this thing or lobbying you know some of the wallet software coordinator? Software to support the thing and find a way.
Nick Farrow 00:41:44
So there’s a few, there’s a few angles we need to get things working on one really big one is going to be the frost specification. So getting Jessie’s implementation of frost compatible with our implementation with frost compatible with whatever other implementations of frost are out there. So that’s going to be one really big step and sort of a very important early on one. Once we’ve done that, I’m really keen to check out some of these existing software wallets and see if we can add in. A frost coordinator that that can talk to these frost hardware devices that we’ve been exploring that that would be the next sort of step for me I think would be to get these going.
Stephan Livera 00:42:29
OK. So, we’re talking about frost. About roast, what’s roast?
Nick Farrow 00:42:33
Yeah, its roast is a little bit misleading. When people hear the name, they assume it’s sort of its own signature scheme. You know, you’ve got music, you’ve got frost now, you. It’s not quite like that. So roast is actually a wrapper, it is a set of instructions for how to run a threshold signature scheme like frost. The example of when roast is required the one, I like to give is imagine. You we’re a part of a company or say we’re part of a charity and say we wanna donate money to, say SAT sale and I might not actually want to donate the charities money to SAT sale. So, what I’ll do is when we go to sign with frost. I’ll say yeah, I’ll sign. Give me the PSBT or whatever. I’m ready to sign, but when it actually comes around to my turn to sign, I just sort of disconnect. I log out for the day and you guys are just left hanging there waiting for my signature and maybe I eventually come back online and say I’m back now. I’ll sign again and then it comes round to my turn to sign. Then again, once again, I just. I just flat out refused. To sign so with Frost, singers can be disruptive. They can sort of pretend that they’re willing to sign things or they can have really bad connections and they can disappear, which prevents things from being signed.
Nick Farrow 00:44:03
What roast is? It’s a set of instructions for which signers to choose at each signing round. So, if I disconnected on that signing round. Like you know, you gave me an hour and I’ve still not logged on to sign what you would do is you would. Your roast instructions would tell you. Nick out let’s kick He’s a malicious signer. Let’s go ask one of our other sign as our multi SIG to help us sign. This message roast is a set of instructions that makes frost robust and provided you have TA threshold number of honest signs. You’re guaranteed to eventually arrive at a signature when you’re using roast.
Stephan Livera 00:44:56
So, as I’m understanding it, is it suggesting another signer to go to? Is that essentially what it’s doing or is it a system that recognizes like if, let’s say in that example your griefing and I should go to Lloyd for a signature instead of you. Is it gonna tell me that or how? What’s like how? Does that work?
Nick Farrow 00:45:14
So, one of the fundamental requirements of roast is that you have what are called identifiable aborts. And so, whenever I say I didn’t actually sign, I give you gibberish back. You’re able to look at the gibberish I gave you and say, Nick, you’re not actually signing. You’re just sending me garbage. And then roast will tell you to essentially. Mark, Nick, malicious. Let’s look at a different subset of signers. So roast really sort of, it keeps track of who’s a good signer and who’s a bad signer. And can continually sign using those lists.
Stephan Livera 00:45:57
So it would make more sense in bigger quorums, let’s say. Whereas let’s say a small quorum two or three, everyone knows each other and they’re all good friends. Like it’s unlikely you would need that there, right? But let’s. Say it’s a bigger thing, like 50 people or, you know, 30 people in a quorum somewhere, some. For whatever reason, if some of them go malicious, although I mean, if you’re working the same company together or you’re in a charity together, I guess it would be kind of unlikely that that would happen. But I mean, I guess it’s useful. Maybe would it help in, let’s say, honest cases. So let’s say what if you were honest, like you were trying to help, maybe your Internet connection was just bad. You know, something like that.
Nick Farrow 00:46:28
It does also help in that situation as well when someone’s got, yeah, a a bad connection you can.
Nick Farrow 00:46:35
Track of which signers are sort of reliable. Which who’s who has been successfully signing and, and you can continually go to them for as your first point of call whenever you want something to be signed.
Stephan Livera 00:46:48
Gotcha. So would you, wouldn’t you manually select or not really like so I guess in the current like I’m thinking of legacy multi site where I just manually select. OK let’s say I’ve got a you know some other device I’m going to sign it with Device B instead of device CI guess the way you’re explaining it here is almost like the software. The coordinator is kind of auto picking who I go to for a signature.
Nick Farrow 00:47:11
Yeah, exactly and worst. Like I, the algorithm itself is actually relatively simple. It’s sort of yeah, it’s just keeping track of these, these, who’s a malicious signer and who’s been a responsive signer and sort of sort of updating that as you as you would quite expect. Like you say, if you’re if you’re running your own say 2 out of three self custody multisig. You’ll never need roast to. You can trust yourself to actually go to these devices and get signatures from them. And yet even in the company it might not be so useful, but in. Sort of these Gray areas where it could be a little bit adversarial, you could be in a multi signature with people that you don’t have much in common with you don’t, yeah.
Stephan Livera 00:48:03
Well, maybe it’s like for a bet. You know, people do these bets online and maybe there’s like a multi SIG amongst people who kind of don’t trust each other cause maybe one of them won the bet.
Nick Farrow 00:48:05
Stephan Livera 00:48:10
The other one lost the bet or something.
Nick Farrow 00:48:12
Exactly. Yeah. Exactly right.
Stephan Livera 00:48:14
OK, cool and so then, what are some of the others? Are you you’ve also, you’ve been playing around with Nostra as well, right? What’s the what’s the deal there?
Nick Farrow 00:48:23
Yes, Northstar has been a lot of fun as of late. So it because Nosta uses Schnorr signatures to sign its posts and everything flowing around on Noster, you could view Nostra as sort of like a really fun playground for sure signatures, and it’s a lot less risky to you could be a lot more reckless or not with short signatures, you know the worst that could happen is you. Someone takes over your nostro. Account whereas with Bitcoin, if you’re doing risky stuff on Bitcoin, you know you could lose a lot of funds. So one of the things I did a little while ago was North Star Plus Frost is Northstar. I’m sorry Yeah, North Star Plus frost is froster. And with Foster it, I think it might be the world’s first collaborative social media account or shared custody social media account that.
Stephan Livera 00:49:18
All right It’s kind of like a multi SIG for some.
00:49:24 Nick Farrow
So you and I could each have a key share of a multi SIG and in order to sign it could be a two of two or a two of three in order to post under that that nostro account, you need some threshold number of multi SIG members to each sign the post.
Stephan Livera 00:49:41
Ohh I see so it could be useful for people who have like a massive social media following. Maybe they’ve got a team who manage. You know, if you’re Joe Rogan or I don’t know someone who like has a big following and you know instead of trusting one person with your password. Twitter, or Nostra or whatever. Well, your private key for nostril, let’s say maybe this would be a way to share it around, I guess kind of.
Nick Farrow 00:50:01
Yeah, I like to say it protects against the rogue intern attack that. You give the intern, you know, full free reign of your of your social media and they could end up posting, you know, whatever. The hell they want and social media accounts get hacked all the time from like big companies. They always end up posting like NFT scams and you know, scamming a whole bunch of their customers. You see it happen all the time. So yeah, having this shared custody of social media is a is a pretty novel idea. I think it hasn’t fully been explored. One related idea on that this froster is probably what Etherium Dows should have been. You can Adal probably should just be a big multi signature where where people sort of sign things to vote on what the organization does.
Stephan Livera 00:50:59
Nick Farrow 00:51:00
Or what changes it makes to itself? And that same multi signature can protect the Dow treasury or or whatever, and this carries forward to ideas like Fetty Mints. So you might want to have a shared Nostra account for a federation that whenever they’re you know they’re deploying an update. Feminine or they’re making some changes to their security setup or something. They can publicly post this. Under a Federated Noster account, as opposed to giving, you know, giving one federation complete control of the of the social media.
Stephan Livera 00:51:40
Gotcha. And I guess that could also stop the malicious update sort of or at least it might help stop the malicious update thing, because if it’s just let’s say we’ll see website, I mean obviously we’re not real, but you know what I mean like single a website that’s under a single a single person’s control, this is kind of like having. Multi SIG without having a token. So, I think that’s the other interesting thing. Obviously, a lot of the shift on people, they’re the thing I see the criticism I have of many of them is that they’re not really about the functionality. They’re about the Ponzi or the rug you know, that’s kind of like they’re, you know, because they want a token that they can dump on someone or the NFT ordinals, inscriptions, people are really, you know, that’s what it seems like to me at least. So this could be an example of hey, you don’t need a token for that, you could do that with froster as an example although.
Nick Farrow 00:52:28
Right. It’s just a keypad it’s like a shared keypad. It might be all that you need and you can still have programmable money with it. You can do all kinds of taproot scripts embedded in this frost multi. You could program all kinds of functionality that moves the Treasury funds around or you could add rules which change the governance exactly.
Stephan Livera 00:52:50
The governments, the voting stuff, no, right. I agree I haven’t actually really seen any doubts yet that I’m like, oh, that’s actually a good idea.
Nick Farrow 00:53:01
Maybe the Wall Street bets 1. Is interesting, like having you know like a user directed investment fund is an interesting idea, but yeah, I don’t know if it’s actually a good one
Stephan Livera 00:53:12
Yeah, it seems many of them in practice are centralized in some way, shape or form, or there is some. You know backup multi SIG, you know there’s some you know backup thing that someone.
Nick Farrow 00:53:21
The admin keys, yeah.
Stephan Livera 00:53:22
Yeah admin key right so and you could say OK even if let’s imagine we had froster and they were all using froster there might be some other problems too right maybe there could be some kind of Sybil attack. How do you stop you know people just representing as multiple people right maybe that’s also. A problem to deal with or a challenge to deal with. Anyway, let’s bring it back. To Bitcoin what do you think of the future of multisig? Right? Like if we’re, if we’re looking at this. And we’re thinking about what frost and roasts might do, do you foresee? A lot of companies or like you know, charities or maybe high net worth individuals adopting this kind of thing or even just everyday, you know, just average users.
Nick Farrow 00:54:02
I think the user experience is going to be has the potential to be so much more accessible than what people might have experienced with script multi-signature I myself when. I first tried to. Set up a script multi signature with the lecture. A few years ago, I was like this is. I don’t know what I’m doing. I’ve Heard it and I’ve seen it’s gotten a lot better with things like nun Shark and Sparrow and Spector. But I think the yeah, the user experience that’s possible with frost keys is going to be really quite incredible and really very user friendly. To a wider group of people who aren’t necessarily Bitcoin. Especially when you’re bringing in these ideas of having this malleable multi SIG. So yeah, you lose a device you can easily buy a new one and just enroll it or if you’re of a company and all the executives each have a frost key. If one of those executives leaves instead of having to migrate the whole multi SIG. When you multisig, you could just blacklist that that old executives key and and reissue a new one for a new executive.
Stephan Livera 00:55:13
That’s actually a good practicality benefit.
Nick Farrow 00:55:15
Yeah, So you don’t have to migrate. The whole thing is a really nice feature. And it’s really awesome that frost also packages in this sort of this privacy alongside this user experience improvement.
Stephan Livera 00:55:27
Yeah, but I guess it takes battle testing. It takes time out there in the wild for people to feel, you know, safe with this kind of thing, you know?
Nick Farrow 00:55:34
Stephan Livera 00:55:36
But you know, let’s see where it goes. So Nick, probably a good spot to finish up here. So just let listeners know where can they find you and find your work.
Nick Farrow 00:55:44
Yeah, I’m. I’m on Twitter at UTXO Club and my website domain is UTXO dot club. We don’t have any frost related social media yet, but I plan on making some soon. Once we’ve got a product ready to unveil to you guys. So yeah. Follow me at UTXO Club and I’ll be posting about it there.
Stephan Livera 00:56:06
Thanks for joining me, Nick.
Nick Farrow 00:56:07
Thank you very much Stephan. I really enjoyed it was a lot of fun.