Taproot and FROST Improve Bitcoin Privacy – Bitcoin Magazine

This is an opinion editorial by Dan Gould and Nick Farrow. Gould is a developer who has worked on TumbleBit, PayJoin, and Chaincase App and has been sponsored by the Human Rights Foundation and Geyser Grants. Farrow is an Australian Bitcoin engineer best known for his open-source payment processor SatSale.

“Hey, I just got an invite to this hackathon in Malaysia,” Evan Lin said, interrupting my stream on my laptop in the Taipei Hackerspace. “Sounds like magic,” I retorted. “Can I come?”

I had been banging my head on the desk for weeks. Lin had torn up my idea of ​​what bitcoin privacy was. “It’s a private event, not a typical hackathon. I can ask.”

A flight, two weeks and six minutes of voicemail logistics later, we were walking the durian-lined streets of Kuala Lumpur, Malaysia with Lloyd Fournier, ruminating on a shared passion for keeping bitcoin privacy faithful. Now we were a team. We set out to upgrade Fedimint using half-polished crypto, a few scribbled notes, and then demonstrated it at the first-ever Malaysian BitDevs meetup five days later.

Fournier had joined Nick Farrow in developing FROST, a new threshold crypto that takes advantage of Taproot, in previous months. Being a source of Bitcoin human resources, Fournier has also worked closely with Lin who is a Bitcoin Dev Kit (BDK) contributor. He and I had spent the past few weeks improving the privacy of PayJoin under fluorescent lights during the wee hours in Taipei, Taiwan, so we had established a relationship of trust to embark on a project together. Fournier’s invitation was a step towards the edge. To demonstrate state-of-the-art cryptography to the world, we had to put FROST in an app. Fedimint won everyone over with its new guard model with threshold. It was suitable for the quest.

Self-care is a new and frightening concept for most people. So many people store bitcoins in the custody of third parties on exchanges, exposing them to censorship and indecent surveillance. Federated currencies offer a third way: a federation of known custodians protects community funds. So how does it work?

Anyone can send bitcoins to a Fedimint in exchange for E-cash tokens. Custodians share custody of community bitcoin in a multi-signature wallet. E-cash tokens are just some data: blind signatures exchangeable for a certain amount of bitcoins later. These are super powerful tickets. Submit a Lightning invoice and your E-cash tokens to “get away with it”. You could get e-money in a text and ask the federation to reissue signatures so no one else can take it. The signatures are blind, so it can be exchanged in total anonymity. Anyone can send electronic money to a Fedimint to get bitcoins.

In order to share custody between guardians, Fedimint uses the old Bitcoin script-based multisignature addresses. A threshold number of guardians sign in order to transfer funds. These funds are easy to spot on the blockchain since Script multisig writes the number of signers and the total number of guardians on the blockchain for everyone to see. Even though e-money is anonymous, surveillance companies could identify cluster attachments, withdrawals, and community funds. Leveraging Bitcoin’s latest update, Taproot, our team solved this privacy issue by switching Script multisig to FROST.


FROST (Flexible Round Optimized Schnorr Threshold) is a powerful new type of multisig that aggregates federation members’ key shares into a common FROST key. To pass under this key, a threshold number of members must each produce a signature share. The actions are then grouped together to form a single signature valid under the common key FROST. Members coordinate off-chain. FROST transactions are indistinguishable from regular Taproot single-party spending, and thus stop the creepy surveillance. On top of that, FROST allows for flexible federations, allowing new tutors to join without coordinating each member of the federation to generate new keys again.

Our first step was to understand how the federation reached consensus at each signing round. Fedimint’s consensus algorithm can tolerate bad behavior by up to one-third of the federation while still reaching consensus. It took a day on the whiteboard to decode the consensus algorithm and another to set up the initial generation of the FROST key.

Coming to the Fedimint consensus (photo provided by the authors)

We tricked key generation by doing all of this in the memory of a single trusted device. In best practice, a two-round ceremony keeps an individual’s secret shares of the FROST common key that only exists on that individual’s device. The global secret is never restored.

Reaching consensus (signatures)

We tested a peg transaction before changing the Fedimint wallet code and got confused. Due to a limitation of blind signatures, Fedimint E-cash tokens (similar to CoinJoin outlets) are limited to predefined denominations so that each E-cash token transfer has a set of anonymity. Waiting and waiting and waiting, Lin laughed that we must have messed something up.

It turns out that the standard banknote denominations we set required the Mint to generate around 300,000 signatures to issue enough e-money to cover the peg amount. There are proposals to solve this problem by using anonymous credentials instead. We reset the mint to use much higher default denominations since we were just testing. Hackathons are for hacks, after all.

In a stroke of luck, Bitcoiner Malaysia had just formed and was ready for its first event. Between us four hackers, a host of China’s biggest bitcoin podcast and the researcher on his way to earning the first Bitcoin PhD. in Malaysia, we planned to show our proof of work to BitDevs at the end of the week.

Our most difficult task lay ahead of us: federated signatures. To produce a FROST share, signers must agree to a common randomness, called nonces. In the case of Fedimint, signers use consensus to agree on a unique nonce for each member of the federation joining a signing session. Then, the signature participants bundle the actions into a complete signature.

While we were writing our live demo for the encounter, we managed to get a semi working nonce share and fixed a few fresh bugs as well. Despite our hard work, dinner went by before our code worked. We crossed the threshold into the deepest territory of the hackathon, huddled around the television for three-pair programming in Farrow’s hotel room.

An unreal experience

With our tap waters ready and the Unreal Tournament soundboard launched, Fournier sat down at the keyboard, while we tossed around bug fixes, variable names, and commands from the back seat. 1:30 rolled and our eyelids felt heavy. A few strokes later, as if by magic, the peg-out worked. Each signer would receive signing shares from the others and redeem anon’s e-money in exchange for bitcoin. “Flawless Victory” sounded off the soundboard. We clapped in disbelief.

Except it didn’t work. The next day we ran the code and saw the issues immediately. We were lucky only the day before. It only worked once out of three or four attempts. We’ve been combing through hackathon-grade code for hours. Well, after lunch we were always worried that we would have to cram in late at night. To our advantage, we found the problem: a classic indexing error. At 5:00 p.m., FROSTimint was ready to present.

Once we circled BitDevs, locals took on a self-proclaimed “support group” format for presentations. Fournier brought us back to reality with technique. The inaugural meeting deliberated with delight on the future and the weaknesses of the goalkeepers. How would we choose tutors? Can they hold fractional reserves? More importantly, how can my laksa noodle soup shop transcend fiat using Fedimint?

This is a guest post by Dan Gould and Nick Farrow. The opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc. or Bitcoin Magazine.