Packages

package frost

Ordering
  1. Alphabetic
Visibility
  1. Public
  2. Protected

Type Members

  1. case class FrostNoncePriv(bytes: ByteVector) extends NetworkElement with MaskedToString with Product with Serializable

    FROST nonce (private) representation.

    FROST nonce (private) representation.

    This class wraps the serialized form of two secret nonces concatenated together. Each secret nonce is represented as a 32-byte big-endian scalar (a field element modulo the curve order), so the full representation is 64 bytes: k1 || k2.

    Layout:

    • bytes[0:32) => big-endian scalar encoding of k1
    • bytes[32:64) => big-endian scalar encoding of k2

    In the FROST protocol (and MuSig2), signers generate two secret nonces per signing session. Their corresponding public nonces are R1 = k1*G and R2 = k2*G, and the test vectors store the concatenation of the two private nonces in this format. The two nonces enable construction of the final signing nonce as a linear combination (e.g. R = R1_agg + c*R2_agg), where c is a hash-derived coefficient that depends on the aggregated nonces, aggregate public key, and message.

    Security notes:

    • Each 32-byte chunk should be interpreted as a scalar and validated according to your scalar/field representation (reduction modulo the curve order if needed).
    • Nonces must be treated as secret material: zero them in memory after use and avoid leaking them (this class implements MaskedToString to prevent accidental exposure in logs).
    bytes

    the 64-byte concatenation of two 32-byte secret nonces (k1||k2)

  2. case class FrostNoncePub(bytes: ByteVector) extends NetworkElement with Product with Serializable

    FROST nonce (public) representation.

    FROST nonce (public) representation.

    This class wraps the serialized form of two SEC-compressed curve points concatenated together. Each compressed point uses 33 bytes, so the full representation is 66 bytes.

    Layout:

    • bytes[0:33) => compressed representation of R1
    • bytes[33:66) => compressed representation of R2

    In the FROST protocol these correspond to the two public nonces (R1, R2) produced by a participant during nonce generation. The require in the constructor enforces the fixed-length invariant.

    Note:

    • The byte order is the concatenation of the compressed encodings as returned by the underlying curve library (typically SEC compressed form).
    • Consumers should parse each 33-byte slice into the appropriate elliptic-curve point type before using them in point arithmetic.
    bytes

    the 66-byte concatenation of two SEC-compressed curve points

  3. case class FrostSessionContext(signingContext: FrostSigningContext, aggNonce: FrostNoncePub, tweaks: Vector[FieldElement], isXOnly: Vector[Boolean], message: ByteVector) extends Product with Serializable

    Container for a FROST signing session.

    Container for a FROST signing session.

    This class encapsulates all the information needed for a single FROST signing session, including the signing context (participant information), aggregated nonces, optional tweaks, and the message to be signed.

    The session context is used to compute session-specific values (via getSessionValues) such as:

    • b: the nonce coefficient used to combine R1 and R2
    • R: the effective nonce point used in the signature
    • e: the challenge scalar derived from R, the (tweaked) aggregate public key, and the message

    These values are required by both the signing and verification algorithms.

    signingContext

    the signing context containing participant information, their public key shares, and the threshold public key

    aggNonce

    the aggregated public nonce from all signing participants (R1_agg, R2_agg)

    tweaks

    optional scalar tweaks to apply to the threshold public key (e.g., for taproot key path spending)

    isXOnly

    for each tweak, indicates whether it was derived from an x-only public key (affects parity handling)

    message

    the message bytes to be signed

  4. case class FrostSessionValues(tweakCtx: FrostTweakContext, ids: Vector[Long], pubshares: Vector[ECPublicKey], b: FieldElement, R: SecpPointFinite, e: FieldElement) extends Product with Serializable

    Container of per-session values used during a FROST signing session.

    Container of per-session values used during a FROST signing session.

    This class groups the mutable/derived values required to produce or verify a signature for a single signing session. It includes the current tweak context (aggregate key + accumulators), the participant identifiers and their public shares, and the session-specific scalars/points used in the signing equation.

    Fields:

    • tweakCtx: current aggregate key and tweak/parity accumulators (q, tacc, gacc)
    • ids: vector of participant identifiers used to index shares
    • pubshares: each participant's public share (in the same order as ids)
    • b: session binding or coefficient scalar used when computing the signer contribution (protocol-specific)
    • r: the combined nonce point (finite curve point) used in the signature challenge
    • e: the challenge scalar (usually derived from R, the aggregate pubkey, and the message)

    Convenience accessors q, gacc, and tacc forward to fields in tweakCtx.

  5. case class FrostShareGenResult(ids: Vector[Long], shares: Vector[FieldElement], commitments: Vector[ECPublicKey]) extends Product with Serializable

    Result of FROST trusted dealer key generation.

    Result of FROST trusted dealer key generation.

    This class represents the output of the FROST key generation process where a trusted dealer generates secret shares for a threshold signing scheme. In a t-of-n threshold scheme, any t participants can collaborate to produce a valid signature, but fewer than t cannot.

    The dealer generates:

    • Secret shares for each of n participants
    • VSS (Verifiable Secret Sharing) commitments that allow participants to verify their shares are consistent with the threshold public key
    • A threshold public key that represents the aggregate signing key

    Each participant receives:

    • Their participant ID (from ids)
    • Their secret share (from shares)
    • The VSS commitments (public, same for all participants)

    Participants can verify their share is valid using FrostUtil.vssVerify(share, id, commitments).

    ids

    participant identifiers (1-indexed, typically 1 to n)

    shares

    secret shares for each participant (must be kept private by each participant)

    commitments

    VSS commitments (public) that allow verification of shares. The number of commitments equals the threshold t.

  6. case class FrostSigningContext(n: Long, t: Long, participantIds: Vector[Long], pubshares: Vector[ECPublicKey], thresholdPubKey: ECPublicKey) extends Product with Serializable
  7. case class FrostTweakContext(Q: SecpPointFinite, tacc: FieldElement, gacc: ParityMultiplier) extends Product with Serializable

    A FROST tweak context.

    A FROST tweak context.

    Holds the current aggregate public key point q, the scalar tweak accumulator tacc, and the parity accumulator gacc. This context encapsulates the minimal state needed to apply one or more tweaks to an aggregate key as described in the FROST specification (BIP-FROST). The implementation is compatible with MuSig2 tweak semantics so the MuSig tweak logic can be reused.

    Q

    aggregate public key point (finite curve point)

    tacc

    scalar tweak accumulator (field element)

    gacc

    parity accumulator used for x-only parity tracking

Value Members

  1. object FrostNoncePriv extends Factory[FrostNoncePriv] with Serializable
  2. object FrostNoncePub extends Factory[FrostNoncePub] with Serializable
  3. object FrostSigningContext extends Serializable
  4. object FrostTweakContext extends Serializable
  5. object FrostUtil

Ungrouped