AgentSkillsCN

sigil-frost

支持多链的FROST门限签名运算。适用于DKG仪式、Taproot/Ed25519/Ristretto255签名,以及基于FROST的子链管理。覆盖比特币Taproot、Solana、Cosmos,以及Zcash的隐私交易场景。

SKILL.md
--- frontmatter
name: sigil-frost
description: FROST threshold signature operations for multi-chain support. Use for DKG ceremonies, Taproot/Ed25519/Ristretto255 signing, and managing FROST-based child disks. Covers Bitcoin Taproot, Solana, Cosmos, and Zcash shielded transactions.
allowed-tools: Read, Bash, Glob, Grep

Sigil FROST Operations

FROST (Flexible Round-Optimized Schnorr Threshold) threshold signatures for multi-chain blockchain support. This skill covers DKG ceremonies, presignature management, and signing operations across multiple signature schemes.

Supported Signature Schemes

SchemeFeatureSupported Chains
TaproottaprootBitcoin (Taproot/BIP-340)
Ed25519ed25519Solana, Cosmos, Near, Polkadot, Cardano
Ristretto255ristretto255Zcash (shielded transactions)

Quick Reference

OperationCommand
Start DKG (mother)sigil ceremony dkg-init --role mother --scheme <scheme>
Start DKG (agent)sigil ceremony dkg-init --role agent --scheme <scheme>
Create FROST childsigil-mother create-child --scheme <scheme> --presigs 1000
Check scheme supportsigil info --schemes
Sign with FROSTsigil sign --scheme <scheme> --hash <hash>
Verify signaturesigil verify --scheme <scheme> --sig <signature> --hash <hash>

DKG Ceremony (Distributed Key Generation)

DKG allows both mother and agent devices to generate key shares without either party ever seeing the full private key. This is the most secure setup option.

When to Use DKG

  • Maximum security requirements
  • Regulatory compliance (proof no single party held full key)
  • Multiple independent organizations participating
  • Audit trail of key generation needed

DKG Workflow Overview

code
ROUND 1: Commitment Exchange
  Mother ──[QR]──► Agent
  Mother ◄──[QR]── Agent

ROUND 2: Share Distribution
  Mother ──[QR]──► Agent
  Mother ◄──[QR]── Agent

FINALIZE: Both compute same public key

Step 1: Initialize Mother Device

bash
# On air-gapped mother device
sigil ceremony dkg-init \
  --role mother \
  --scheme taproot \
  --threshold 2

# Displays QR code for Round 1 package
# Wait for agent's Round 1 QR scan

Output:

code
=== DKG Ceremony: Round 1 ===

Role: Mother (Participant 1)
Scheme: Taproot (secp256k1-tr)
Threshold: 2-of-2

[QR CODE DISPLAYED]

Scan this QR with the Agent device.
Then scan the Agent's Round 1 QR code here.

Waiting for camera input...

Step 2: Initialize Agent Device

bash
# On network-connected agent device
sigil ceremony dkg-init \
  --role agent \
  --scheme taproot \
  --threshold 2

# Displays QR code for Round 1 package
# Scan mother's QR, then let mother scan yours

Step 3: Complete Round 2 Exchange

After both devices have exchanged Round 1:

  1. Mother displays Round 2 QR → Agent scans
  2. Agent displays Round 2 QR → Mother scans

Step 4: Verify Results

Both devices should show the same verification hash:

code
=== DKG Ceremony Complete ===

Group Public Key: 02a4b3c2d1e0f9...
Verification Hash: 7f3a9c2b...

VERIFY: Both devices must show the same verification hash!

Key share stored securely.
Ready to create child disks.

Creating FROST Child Disks

After DKG (or using trusted dealer mode), create child disks with FROST presignatures.

Create Child with Specific Scheme

bash
# On mother device with floppy inserted
sigil-mother --data-dir /media/SIGIL_MOTHER create-child \
  --scheme taproot \
  --presig-count 1000 \
  --output /media/FLOPPY/sigil.disk \
  --agent-output /tmp/agent_shares.json

Output:

code
=== FROST Child Disk Created ===

Scheme: Taproot (BIP-340 Schnorr)
Child ID: 8f3a2c1b
Presigs: 1000
Expires: 30 days

Supported chains:
  - Bitcoin Taproot (bc1p... addresses)

Agent shares written to: /tmp/agent_shares.json
Import to daemon, then DELETE this file!

Scheme-Specific Examples

Bitcoin Taproot:

bash
sigil-mother create-child --scheme taproot --presigs 1000 --label "btc-taproot-001"

Solana/Cosmos (Ed25519):

bash
sigil-mother create-child --scheme ed25519 --presigs 5000 --label "solana-001"

Zcash Shielded (Ristretto255):

bash
sigil-mother create-child --scheme ristretto255 --presigs 500 --label "zcash-shield-001"

Signing Operations by Chain

Bitcoin Taproot Signing

bash
# Check disk status
sigil status --scheme taproot

# Sign a transaction
sigil sign \
  --scheme taproot \
  --hash "0x1234567890abcdef..." \
  --description "Send 0.5 BTC to bc1p..."

# With full transaction hex
sigil sign \
  --scheme taproot \
  --tx-hex "02000000..." \
  --broadcast bitcoin-mainnet

Expected output:

code
=== Taproot Signature ===

Sighash: 0x1234567890abcdef...
Signature (64 bytes): 0xabc123...

Transaction signed successfully.
Presig #847 consumed (152 remaining).

Solana Signing (Ed25519)

bash
# Sign Solana transaction
sigil sign \
  --scheme ed25519 \
  --tx-base64 "AQAAAA..." \
  --description "Transfer 10 SOL"

# Or with message bytes
sigil sign \
  --scheme ed25519 \
  --message-hex "0x..." \
  --broadcast solana-mainnet

Cosmos Signing (Ed25519)

bash
# Sign Cosmos transaction (same Ed25519 scheme)
sigil sign \
  --scheme ed25519 \
  --sign-doc-json '{"chain_id":"cosmoshub-4",...}' \
  --description "Delegate 100 ATOM"

Zcash Shielded Signing (Ristretto255)

bash
# Sign PCZT (Partially Created Zcash Transaction)
sigil sign \
  --scheme ristretto255 \
  --pczt-file transaction.pczt \
  --spend-index 0 \
  --description "Shielded transfer"

Checking Disk and Daemon Status

Check All Schemes

bash
# Overview of all supported schemes
sigil info --schemes

Output:

code
=== Sigil FROST Support ===

Signature Schemes:
  [x] ECDSA (secp256k1) - Ethereum, Bitcoin legacy
  [x] Taproot (BIP-340) - Bitcoin Taproot
  [x] Ed25519 - Solana, Cosmos, Near
  [x] Ristretto255 - Zcash shielded

Current Disk: sigil_8f3a2c1b
  Scheme: Taproot
  Presigs: 847/1000
  Expires: 12 days

Check Specific Scheme Status

bash
# Check if disk supports a specific scheme
sigil status --scheme ed25519

List All Children by Scheme

bash
sigil-mother list-children --scheme taproot
sigil-mother list-children --scheme ed25519
sigil-mother list-children --scheme ristretto255

Address Derivation

Bitcoin Taproot Address

bash
# Get Taproot address from current disk
sigil address --scheme taproot --network mainnet

# Output: bc1p7x8j2k...

Solana Address

bash
# Get Solana base58 address
sigil address --scheme ed25519 --format solana

# Output: 7EcDhSYGxX...

Cosmos Address

bash
# Get Cosmos bech32 address
sigil address --scheme ed25519 --format cosmos --prefix cosmos

# Output: cosmos1abc...

# For other Cosmos chains
sigil address --scheme ed25519 --format cosmos --prefix osmo   # Osmosis
sigil address --scheme ed25519 --format cosmos --prefix juno   # Juno

Zcash Address

bash
# Get Zcash shielded address
sigil address --scheme ristretto255 --format zcash-sapling

# Output: zs1...

IPC Protocol for FROST

The daemon accepts FROST-specific IPC commands.

Check Scheme Support

json
{"type": "GetSchemeSupport"}

Response:

json
{
  "type": "SchemeSupport",
  "schemes": ["ecdsa", "taproot", "ed25519", "ristretto255"],
  "disk_scheme": "taproot"
}

FROST Sign Request

json
{
  "type": "FrostSign",
  "scheme": "taproot",
  "message_hash": "0x1234...abcd",
  "description": "Bitcoin Taproot transaction"
}

Response:

json
{
  "type": "FrostSignResult",
  "scheme": "taproot",
  "signature": "0xabc123...",
  "signature_length": 64,
  "presig_index": 847
}

Error Handling

ErrorMeaningAction
SchemeNotSupportedDisk doesn't support requested schemeCreate new disk with correct scheme
SchemeMismatchDisk scheme differs from requestUse matching scheme or different disk
DkgRound1MissingMissing Round 1 packagesComplete QR exchange
DkgRound2MissingMissing Round 2 packagesComplete Round 2 exchange
DkgVerificationFailedVerification hashes don't matchRestart DKG ceremony
NonceReuseCRITICAL: Same nonce used twiceNullify child immediately

Security Considerations

Nonce Security (CRITICAL)

FROST nonce reuse across two messages reveals the private key:

code
s1 = k + e1*x  (message 1)
s2 = k + e2*x  (message 2)
x = (s1 - s2) / (e1 - e2)  (attacker recovers key)

Sigil prevents this through:

  1. Single-use presignatures
  2. Status byte tracking (Fresh → Used → Void)
  3. Agent index tracking
  4. Reconciliation verification

Cross-Chain Isolation

Recommended practice: Use separate child disks per ecosystem.

bash
# Bitcoin Taproot
sigil-mother create-child --scheme taproot --label "btc-001"

# Solana ecosystem
sigil-mother create-child --scheme ed25519 --label "sol-001"

# Zcash shielded
sigil-mother create-child --scheme ristretto255 --label "zec-001"

DKG vs Trusted Dealer

AspectTrusted DealerDKG
Setup time~30 seconds~5 minutes
Trust modelMother saw full keyNeither party saw key
RecoveryMother can regenerateRequires both parties
Audit proofTrust mother's logsCryptographic transcript

Reference Documentation

Troubleshooting

"Scheme not supported by disk"

The inserted disk was created with a different scheme. Check with:

bash
sigil status

Create a new disk with the required scheme.

"DKG verification hash mismatch"

The ceremony was corrupted. Both devices must:

  1. Delete partial state: sigil ceremony dkg-reset
  2. Restart the ceremony from Round 1

"Signature verification failed"

  1. Verify correct scheme is specified
  2. Check message encoding (raw bytes vs tagged hash)
  3. Verify presig index synchronization