Paper 2022/550

ROAST: Robust Asynchronous Schnorr Threshold Signatures

Tim Ruffing, Blockstream
Viktoria Ronge, Friedrich-Alexander-Universität Erlangen-Nürnberg
Elliott Jin, Blockstream
Jonas Schneider-Bensch, CISPA Helmholtz Center for Information Security
Dominique Schröder, Friedrich-Alexander-Universität Erlangen-Nürnberg

Bitcoin and other cryptocurrencies have recently introduced support for Schnorr signatures whose cleaner algebraic structure, as compared to ECDSA, allows for simpler and more practical constructions of highly demanded "$t$-of-$n$" threshold signatures. However, existing Schnorr threshold signature schemes still fall short of the needs of real-world applications due to their assumption that the network is synchronous and due to their lack of robustness, i.e., the guarantee that $t$ honest signers are able to obtain a valid signature even in the presence of other malicious signers who try to disrupt the protocol. This hinders the adoption of threshold signatures in the cryptocurrency ecosystem, e.g., in second-layer protocols built on top of cryptocurrencies. In this work, we propose ROAST, a simple wrapper that turns a given threshold signature scheme into a scheme with a robust and asynchronous signing protocol, as long as the underlying signing protocol is semi-interactive (i.e., has one preprocessing round and one actual signing round), provides identifiable aborts, and is unforgeable under concurrent signing sessions. When applied to the state-of-the-art Schnorr threshold signature scheme FROST, which fulfills these requirements, we obtain a simple, efficient, and highly practical Schnorr threshold signature scheme.

Note: Revision 2022-09-18. Differences to original publication: Corrected communication complexity and minor editorial and formatting changes.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. ACM CCS 2022
threshold cryptography threshold signatures Schnorr signatures robustness FROST
Contact author(s)
crypto @ timruffing de
ronge @ cs fau de
eyj @ blockstream com
jonas schneider-bensch @ cispa de
dominique schroeder @ fau de
2022-09-18: revised
2022-05-10: received
See all versions
Short URL
Creative Commons Attribution


      author = {Tim Ruffing and Viktoria Ronge and Elliott Jin and Jonas Schneider-Bensch and Dominique Schröder},
      title = {ROAST: Robust Asynchronous Schnorr Threshold Signatures},
      howpublished = {Cryptology ePrint Archive, Paper 2022/550},
      year = {2022},
      doi = {10.1145/3548606.3560583},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.