Mask-FROST: Adaptively Secure 2-round Threshold Schnorr Signatures in the Algebraic Group Model

Abstract. Threshold signatures allow a secret key to be distributed among a group of signers, and in order to sign a message, at least a threshold of signers must be involved. This talk focuses on efficient constructions that produce Schnorr signatures (or the standardized version, EdDSA) with adaptive security. The most efficient threshold Schnorr signature scheme is FROST, which has two signing rounds. The static security of FROST is proved under the algebraic one-more discrete logarithm (AOMDL) assumption in the random oracle model (ROM). However, recent works by Crites et al. (CRYPTO '25) show that there is an inherent non-standard computational assumption underlying the adaptive security of FROST. In this talk, I will present Mask-FROST, a new partially non-interactive threshold Schnorr signature scheme that has comparable efficiency to FROST and is adaptively secure under only the AOMDL assumption in the algebraic group model (AGM) and the ROM. All prior adaptive-secure constructions require at least 3 rounds. I will also talk about our impossibility result that shows it is not possible show that Mask-FROST is adaptively secure in the ROM only under the AOMDL assumption.

Joint work: Renas Bacho, Yanbo Chen, Julian Loss, Stefano Tessaro.

[Slides]