Question for people that know cryptography.
why can't you use deterministic nonces when using FROST?
#asknostr
Discussion
Yes, see the recently published RFC9591 : "..However, unlike EdDSA, the signatures produced by FROST are not deterministic, since deriving nonces deterministically allows for a complete key-recovery attack in multi-party, discrete logarithm-based signatures."
The reason this very counter-intuitive footgun exists in MuSig2, FROST etc. : whereas typically you tie the *exact* nonce point R into the hash in standard Schnorr, i.e. you calculate s = k + H(R,..,message) where R is the point for k (R = kG), in the collaborative version (both FROST and Musig2) you do s = k + H(R_aggregated,..,message) where R_aggregated *includes* your individual R, but also adds in the other guys' R-values, too. So the attacker can make R_aggregated change for your s calculation, while your k value does *not* change if your private key and message don't change (you basically do k = H(privkey,message)). So you end up reusing the nonce on different equations and then the attacker can just subtract one of your s-values from the other. You signed a different "message" even though your actual message (e.g. the bitcoin transaction) was the same, because mathematically your "message" is "R, ..., message" and not just "message".
So you could see it as an impurity of the concept of 'nonce' leading to undesirable outcomes.
This is why MuSigDN and stuff like https://eprint.iacr.org/2021/1055 exist.
Perplexity AI
Using deterministic nonces in FROST (Flexible Round-Optimized Schnorr Threshold Signatures) is problematic because it can lead to **key recovery attacks**. When nonces are generated deterministically, they can be computed from public information, allowing an adversary to potentially recover private keys if any signer deviates from the protocol[1][5]. FROST relies on random nonces to ensure that each signer contributes uniquely and securely, preventing such vulnerabilities and maintaining the integrity of the signing process[2][4].
Sources
[1] Dangers Of Determinism In Threshold Signatures - Jake's Blog https://www.jcraige.com/dangers-of-determinism-in-threshold-signatures
[2] FROST Signing for BIP340-compatible Threshold Signatures - GitHub https://github.com/siv2r/bip-frost-signing
[3] [PDF] FROST: Flexible Round-Optimized Schnorr Threshold Signatures https://eprint.iacr.org/2020/852.pdf
[4] Understanding FROST - The ZF FROST Book https://frost.zfnd.org/frost.html
[5] draft-irtf-cfrg-frost-08 - IETF Datatracker https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-frost-08
[6] [PDF] FROST: Flexible Round-Optimized Schnorr Threshold signatures ... https://crysp.uwaterloo.ca/software/frost/frost-extabs.pdf
[7] [PDF] Arctic: Lightweight and Stateless Threshold Schnorr Signatures https://eprint.iacr.org/2024/466.pdf
[8] frost package - github.com/bytemare/frost - Go Packages https://pkg.go.dev/github.com/bytemare/frost
Deterministic nonce requires much more complex implementation