Using Taproot And Frost To Improve Bitcoin Privacy
“Hey, I just got an invite to this hackathon in Malaysia,” said Evan Lin, interrupting my flow over my laptop in the Taipei Hackerspace. “That sounds magic,” I snapped back. “Can I come?”
I’d been smacking my head on the desk for weeks. Lin had been tearing apart my idea of what bitcoin privacy was. “It’s a private event, not your typical hackathon. I can ask.”
One flight, two weeks, and six minutes of voice message logistics later, we were walking down durian-lined streets of Kuala Lumpur, Malaysia, with Lloyd Fournier, ruminating over a shared passion to make bitcoin privacy stick. Now we were a team. We set out to upgrade Fedimint using half-polished cryptography, some scribbled-down notes, and then demo it at the first-ever Malaysian BitDevs meetup five days later.
Fournier had joined Nick Farrow to develop FROST, a new threshold cryptography that takes advantage of Taproot, in the months prior. Being a fountain of Bitcoin human resources, Fournier had also been working closely with Lin who is a Bitcoin Dev Kit (BDK) contributor. He and I had spent the last few weeks upgrading PayJoin privacy under fluorescent lights during the wee hours in Taipei, Taiwan, so we’d established trust to jump in the deep end on a project together. Fournier’s invitation was a step to the edge. To demonstrate the cutting edge cryptography to the world, we had to put FROST in an app. Fedimint had everyone’s eyeballs for its new threshold custody model. It was fit for the quest.
Self-custody is a novel, scary concept for most people. So many people store bitcoin in third-party custody on exchanges, leaving them exposed to censorship and indecent surveillance. Federated mints offer a third way: A federation of known guardians keep community funds safe. So how does it work?
Anyone can send bitcoin to a Fedimint in exchange for E-cash tokens. The guardians share custody of the community’s bitcoin in a multisignature wallet. The E-cash tokens are just some data: blind signatures redeemable for some amount of bitcoin later. They’re superpowered banknotes. Submit a Lightning invoice and your E-cash tokens to “peg out.” You could get E-cash in a text and have the federation reissue signatures so nobody else can take it. The signatures are blinded, so it can be redeemed in total anonymity. Anyone can send E-cash to a Fedimint to get bitcoin.
In order to share custody between guardians, Fedimint uses legacy Bitcoin Script-based multisignature addresses. A threshold number of guardians sign in order to transfer funds. These funds are easy to spot on the blockchain since Script multisig writes the number of signers and the total number of guardians to the blockchain for anyone to see. Even though E-cash is anonymous, surveillance companies could identify peg-ins, peg-outs and cluster community funds. By harnessing Bitcoin’s latest upgrade, Taproot, our team solved this privacy issue by switching Script multisig to FROST.
ENTER FROST
FROST (Flexible Round Optimized Schnorr Threshold) is a powerful new kind of multisig that aggregates the key shares of federation members into a joint FROST key. To spend under this key, a threshold number of members must each produce a signature share. The shares are then combined to form a single signature that is valid under the joint FROST key. Members coordinate off chain. FROST transactions are indistinguishable from regular single-party Taproot spends, and so stop the creepy surveillance. On top of that, FROST allows for flexible federations, allowing new guardians to join without coordinating every member of the federation to generate new keys again. Read More…
