1/ My brain is completely exploding with the possibilities that this Concurrently Secure Blind Schnorr signatures paper combined with FROST will give to Bitcoin. The fact that the authors have introduced predicate blind signatures has literally blew my brain apart.

2/ If you're completely lost, let me walk you through it. Frost is going to bring threshold signing to Bitcoin in a way that's going to be revolutionary as far as on-chain transaction size, among other things.

3/ To put it simply, you can have a 2 of 3 or a 3 of 5 or a 20 of 38 multi-signature that only shows up on-chain as a single public key and a single signature. No one has any idea how many keys were actually involved in the construction of that one public key on-chain.

4/ Where Frost really shines is in scenarios like Unchained Capital, where you have a 2 of 3 multisig where two of the keys are yours and one is placed with the custodian in case you need it.

5/ The following scenario is all hypothetical, so please do not think Unchained is implementing anything like this yet. I'm just doing this as an example.

6/ If you were to start this from scratch, you would construct the first two shares yourselves, and then Unchained Capital would construct the third share of this two-of-three setup.

7/ The interesting thing is that Unchained construction of their share reveals nothing about the share in whole.

8/ You could then set up a blind signature scheme where a custodian like Unchained could sign your transaction without knowing where the final destination is, nor who you are in terms of a KYC perspective.

9/ All the custodian can do is blindly authenticate that you are the person that initially set up this whole scheme with them, and thus you are authorized, and then they could sign a transaction without knowing where the transaction is going to. This is huge for privacy.

10/ From here, FROST really starts to take off.

11/ For instance, it would be really beneficial for Bitcoiners to have a large selection of these custodians who they can choose from, and the only way that's really going to happen is if it's quite easy to move between these custodians.

12/ Currently, if Unchained Capitol did something I didn't like, yes, I could sign with my two keys to an address on-chain, then I could set up a new multisig with CASA, following the same procedure over again, and then send my funds over to that new multi-sig wallet with CASA…

13/ …with the second on-chain transaction. So now, I've moved from one custodian to another while incurring the cost of two on-chain transactions.

14/ While that may not be a big deal now, in a potential future when Bitcoin transactions may cost thousands of dollars, that's very problematic. With Frost, you can change your quorum from a 2 of 3 to a 2 of 2, and thereby revoke the third share with the custodian.

15/ And then when you move to a new custodian, you can expand that threshold back to 2 of 3, adding in the new custodian as the third share, all without having to incur any on-chain transactions.

16/ You have changed the structure of your quorum by shrinking it and expanding it again, all while not changing the root public key that is already on-chain. In other words, you haven't had to move the transaction at all.

17/ This is amazing, not just from a cost-saving perspective, but obviously from a privacy and freedom perspective in general. And here's where the paper comes into play and it starts to get really wild. Within these blind signatures, you can embed predicates.

18/ The example cited in the paper would be an amount. The custodian could be given instructions that they should never sign for a transaction that's more than 250,000 sats, let's say.

19/ Well, when you set up this whole trusted setup with the FROST keys, you embedded a predicate arithmetic circuit into these proofs that has in it this very condition, meaning the custodian not only blindly signs transactions but they can only blindly sign transactions that…

20/ …meet the requirements that you have set. In this instance, less than 250,000 sats. To put another way, they are unable to sign any transaction that is more than 250,000 sats. In other words, it's completely trustless.

21/ You don't have to trust that the custodian will do this, because it's all embedded within the predicate blinded signature scheme. This is all done mathematically in a provably verifiable way off chain.

22/ This simple example has long-reaching applications because with the traditional financial rails, there's often arbitrary limits set for when KYC is even needed.

23/ So now, a custodian could trustlessly sign low-threshold transactions without being in violation of local laws or regulations. And then from there, your brain will really explode because what's the limitations of these predicates?

24/ You could set a predicate such as "you want to make sure that it's only set to a specific set of addresses or belongs to a certain category of addresses" like charities or businesses.

25/ The predicate could enforce time-based conditions, such as "the transaction could only be processed within a certain time frame or after a specific time".

26/ You could have a multi-signature requirement, saying something like, "the transaction requires multiple signatures from multiple different parties" before it will be processed.

27/ And of course you could have some chaotic KYC compliance predicate, where you can set a condition that the "user must be verified according to the Know Your Customer or Anti-Money Laundering regulations".

28/ You could have a predicate that makes sure the data associated with the transaction meets a specific hash value or satisfy certain conditions.

29/ There could be contractual conditions, specific conditions defined in some type of contract that must be met before the transaction is processed. You could have "user limit" predicates, where the user has not exceeded their transaction limit within a specific period.