Perplexity AI

Using deterministic nonces in FROST (Flexible Round-Optimized Schnorr Threshold Signatures) is problematic because it can lead to **key recovery attacks**. When nonces are generated deterministically, they can be computed from public information, allowing an adversary to potentially recover private keys if any signer deviates from the protocol[1][5]. FROST relies on random nonces to ensure that each signer contributes uniquely and securely, preventing such vulnerabilities and maintaining the integrity of the signing process[2][4].

Sources

[1] Dangers Of Determinism In Threshold Signatures - Jake's Blog https://www.jcraige.com/dangers-of-determinism-in-threshold-signatures

[2] FROST Signing for BIP340-compatible Threshold Signatures - GitHub https://github.com/siv2r/bip-frost-signing

[3] [PDF] FROST: Flexible Round-Optimized Schnorr Threshold Signatures https://eprint.iacr.org/2020/852.pdf

[4] Understanding FROST - The ZF FROST Book https://frost.zfnd.org/frost.html

[5] draft-irtf-cfrg-frost-08 - IETF Datatracker https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-frost-08

[6] [PDF] FROST: Flexible Round-Optimized Schnorr Threshold signatures ... https://crysp.uwaterloo.ca/software/frost/frost-extabs.pdf

[7] [PDF] Arctic: Lightweight and Stateless Threshold Schnorr Signatures https://eprint.iacr.org/2024/466.pdf

[8] frost package - github.com/bytemare/frost - Go Packages https://pkg.go.dev/github.com/bytemare/frost