Sigil FROST Operations
FROST (Flexible Round-Optimized Schnorr Threshold) threshold signatures for multi-chain blockchain support. This skill covers DKG ceremonies, presignature management, and signing operations across multiple signature schemes.
Supported Signature Schemes
| Scheme | Feature | Supported Chains |
|---|---|---|
| Taproot | taproot | Bitcoin (Taproot/BIP-340) |
| Ed25519 | ed25519 | Solana, Cosmos, Near, Polkadot, Cardano |
| Ristretto255 | ristretto255 | Zcash (shielded transactions) |
Quick Reference
| Operation | Command |
|---|---|
| Start DKG (mother) | sigil ceremony dkg-init --role mother --scheme <scheme> |
| Start DKG (agent) | sigil ceremony dkg-init --role agent --scheme <scheme> |
| Create FROST child | sigil-mother create-child --scheme <scheme> --presigs 1000 |
| Check scheme support | sigil info --schemes |
| Sign with FROST | sigil sign --scheme <scheme> --hash <hash> |
| Verify signature | sigil verify --scheme <scheme> --sig <signature> --hash <hash> |
DKG Ceremony (Distributed Key Generation)
DKG allows both mother and agent devices to generate key shares without either party ever seeing the full private key. This is the most secure setup option.
When to Use DKG
- •Maximum security requirements
- •Regulatory compliance (proof no single party held full key)
- •Multiple independent organizations participating
- •Audit trail of key generation needed
DKG Workflow Overview
ROUND 1: Commitment Exchange Mother ──[QR]──► Agent Mother ◄──[QR]── Agent ROUND 2: Share Distribution Mother ──[QR]──► Agent Mother ◄──[QR]── Agent FINALIZE: Both compute same public key
Step 1: Initialize Mother Device
# On air-gapped mother device sigil ceremony dkg-init \ --role mother \ --scheme taproot \ --threshold 2 # Displays QR code for Round 1 package # Wait for agent's Round 1 QR scan
Output:
=== DKG Ceremony: Round 1 === Role: Mother (Participant 1) Scheme: Taproot (secp256k1-tr) Threshold: 2-of-2 [QR CODE DISPLAYED] Scan this QR with the Agent device. Then scan the Agent's Round 1 QR code here. Waiting for camera input...
Step 2: Initialize Agent Device
# On network-connected agent device sigil ceremony dkg-init \ --role agent \ --scheme taproot \ --threshold 2 # Displays QR code for Round 1 package # Scan mother's QR, then let mother scan yours
Step 3: Complete Round 2 Exchange
After both devices have exchanged Round 1:
- •Mother displays Round 2 QR → Agent scans
- •Agent displays Round 2 QR → Mother scans
Step 4: Verify Results
Both devices should show the same verification hash:
=== DKG Ceremony Complete === Group Public Key: 02a4b3c2d1e0f9... Verification Hash: 7f3a9c2b... VERIFY: Both devices must show the same verification hash! Key share stored securely. Ready to create child disks.
Creating FROST Child Disks
After DKG (or using trusted dealer mode), create child disks with FROST presignatures.
Create Child with Specific Scheme
# On mother device with floppy inserted sigil-mother --data-dir /media/SIGIL_MOTHER create-child \ --scheme taproot \ --presig-count 1000 \ --output /media/FLOPPY/sigil.disk \ --agent-output /tmp/agent_shares.json
Output:
=== FROST Child Disk Created === Scheme: Taproot (BIP-340 Schnorr) Child ID: 8f3a2c1b Presigs: 1000 Expires: 30 days Supported chains: - Bitcoin Taproot (bc1p... addresses) Agent shares written to: /tmp/agent_shares.json Import to daemon, then DELETE this file!
Scheme-Specific Examples
Bitcoin Taproot:
sigil-mother create-child --scheme taproot --presigs 1000 --label "btc-taproot-001"
Solana/Cosmos (Ed25519):
sigil-mother create-child --scheme ed25519 --presigs 5000 --label "solana-001"
Zcash Shielded (Ristretto255):
sigil-mother create-child --scheme ristretto255 --presigs 500 --label "zcash-shield-001"
Signing Operations by Chain
Bitcoin Taproot Signing
# Check disk status sigil status --scheme taproot # Sign a transaction sigil sign \ --scheme taproot \ --hash "0x1234567890abcdef..." \ --description "Send 0.5 BTC to bc1p..." # With full transaction hex sigil sign \ --scheme taproot \ --tx-hex "02000000..." \ --broadcast bitcoin-mainnet
Expected output:
=== Taproot Signature === Sighash: 0x1234567890abcdef... Signature (64 bytes): 0xabc123... Transaction signed successfully. Presig #847 consumed (152 remaining).
Solana Signing (Ed25519)
# Sign Solana transaction sigil sign \ --scheme ed25519 \ --tx-base64 "AQAAAA..." \ --description "Transfer 10 SOL" # Or with message bytes sigil sign \ --scheme ed25519 \ --message-hex "0x..." \ --broadcast solana-mainnet
Cosmos Signing (Ed25519)
# Sign Cosmos transaction (same Ed25519 scheme)
sigil sign \
--scheme ed25519 \
--sign-doc-json '{"chain_id":"cosmoshub-4",...}' \
--description "Delegate 100 ATOM"
Zcash Shielded Signing (Ristretto255)
# Sign PCZT (Partially Created Zcash Transaction) sigil sign \ --scheme ristretto255 \ --pczt-file transaction.pczt \ --spend-index 0 \ --description "Shielded transfer"
Checking Disk and Daemon Status
Check All Schemes
# Overview of all supported schemes sigil info --schemes
Output:
=== Sigil FROST Support === Signature Schemes: [x] ECDSA (secp256k1) - Ethereum, Bitcoin legacy [x] Taproot (BIP-340) - Bitcoin Taproot [x] Ed25519 - Solana, Cosmos, Near [x] Ristretto255 - Zcash shielded Current Disk: sigil_8f3a2c1b Scheme: Taproot Presigs: 847/1000 Expires: 12 days
Check Specific Scheme Status
# Check if disk supports a specific scheme sigil status --scheme ed25519
List All Children by Scheme
sigil-mother list-children --scheme taproot sigil-mother list-children --scheme ed25519 sigil-mother list-children --scheme ristretto255
Address Derivation
Bitcoin Taproot Address
# Get Taproot address from current disk sigil address --scheme taproot --network mainnet # Output: bc1p7x8j2k...
Solana Address
# Get Solana base58 address sigil address --scheme ed25519 --format solana # Output: 7EcDhSYGxX...
Cosmos Address
# Get Cosmos bech32 address sigil address --scheme ed25519 --format cosmos --prefix cosmos # Output: cosmos1abc... # For other Cosmos chains sigil address --scheme ed25519 --format cosmos --prefix osmo # Osmosis sigil address --scheme ed25519 --format cosmos --prefix juno # Juno
Zcash Address
# Get Zcash shielded address sigil address --scheme ristretto255 --format zcash-sapling # Output: zs1...
IPC Protocol for FROST
The daemon accepts FROST-specific IPC commands.
Check Scheme Support
{"type": "GetSchemeSupport"}
Response:
{
"type": "SchemeSupport",
"schemes": ["ecdsa", "taproot", "ed25519", "ristretto255"],
"disk_scheme": "taproot"
}
FROST Sign Request
{
"type": "FrostSign",
"scheme": "taproot",
"message_hash": "0x1234...abcd",
"description": "Bitcoin Taproot transaction"
}
Response:
{
"type": "FrostSignResult",
"scheme": "taproot",
"signature": "0xabc123...",
"signature_length": 64,
"presig_index": 847
}
Error Handling
| Error | Meaning | Action |
|---|---|---|
SchemeNotSupported | Disk doesn't support requested scheme | Create new disk with correct scheme |
SchemeMismatch | Disk scheme differs from request | Use matching scheme or different disk |
DkgRound1Missing | Missing Round 1 packages | Complete QR exchange |
DkgRound2Missing | Missing Round 2 packages | Complete Round 2 exchange |
DkgVerificationFailed | Verification hashes don't match | Restart DKG ceremony |
NonceReuse | CRITICAL: Same nonce used twice | Nullify child immediately |
Security Considerations
Nonce Security (CRITICAL)
FROST nonce reuse across two messages reveals the private key:
s1 = k + e1*x (message 1) s2 = k + e2*x (message 2) x = (s1 - s2) / (e1 - e2) (attacker recovers key)
Sigil prevents this through:
- •Single-use presignatures
- •Status byte tracking (Fresh → Used → Void)
- •Agent index tracking
- •Reconciliation verification
Cross-Chain Isolation
Recommended practice: Use separate child disks per ecosystem.
# Bitcoin Taproot sigil-mother create-child --scheme taproot --label "btc-001" # Solana ecosystem sigil-mother create-child --scheme ed25519 --label "sol-001" # Zcash shielded sigil-mother create-child --scheme ristretto255 --label "zec-001"
DKG vs Trusted Dealer
| Aspect | Trusted Dealer | DKG |
|---|---|---|
| Setup time | ~30 seconds | ~5 minutes |
| Trust model | Mother saw full key | Neither party saw key |
| Recovery | Mother can regenerate | Requires both parties |
| Audit proof | Trust mother's logs | Cryptographic transcript |
Reference Documentation
- •REFERENCE.md - Complete API reference
- •DKG-CEREMONY.md - Detailed DKG ceremony guide
- •documentation/FROST.md - FROST technical specification
Troubleshooting
"Scheme not supported by disk"
The inserted disk was created with a different scheme. Check with:
sigil status
Create a new disk with the required scheme.
"DKG verification hash mismatch"
The ceremony was corrupted. Both devices must:
- •Delete partial state:
sigil ceremony dkg-reset - •Restart the ceremony from Round 1
"Signature verification failed"
- •Verify correct scheme is specified
- •Check message encoding (raw bytes vs tagged hash)
- •Verify presig index synchronization