And the big win is that this simplification of access requirements carries through to simplifying recovery and inheritance.

Not soon enough! We're looking into it. (Frostsnap does support macOS)

#84146

am I able to restore the wallet in different wallet software (eq Bitcoin Core)?

You will not be able to restore FROST secret shares into a non-frost wallet, at least until they add functionality. BUT you will be able to recombine a threshold number of key backups into an xpriv, without our app, which can be imported into sparrow/bitcoin core etc.

do I also have a way to back up the descriptor?

An awesome thing with FROST is that because there's just one group public key, which can be reconstructed from two keys (or their public images), you can rebuild the descriptor from two backups or their devices. No need to additionally back the descriptor!

Best multisig UX, fully sovereign self-custody without third parties, non-trusted key generation verified by phone/laptop, superior multisig privacy and lower onchain fees, protection against nonce-based exfiltration attacks, simple T-of-N recovery with no descriptor footguns, fully open-source software.

What don't you get about it? Focused on building not marketing yet

Thanks for the info!

Did you perhaps buy a trezor from a 3rd party? There have been fake ones going around.

Or maybe more likely, perhaps your computer was infected with malware that:
i) Sent a malicious signing request instead of the transaction you were intending to sign.
ii) When you copied the address, clipboard malware replaced it with the attackers address, so when you pasted it in, the money is destined for them - this happened to a friend of mine :(.

Reusing addresses will not cause a disaster like this, and trezor would(/should) prevent secret leaking (via nonce reuse attacks).

At the end of last year you said:

"I had a breach in my hardware wallet and got part of my Bitcoin drained"

And that you would share the details.
https://x.com/DecrimNat/status/1867390594034881014

Many, myself included, found this claim hard to believe since thefts are seldom through sophisticated attacks and are almost always through user error.

Thefts are always devastating, and I empathize. But as someone building a hardware wallet it is frustrating, so often in these situations, when people never return to elaborate on what actually occurred. If there is a HWW weakness, people need to know. And if it is user error, these mistakes are valuable for others to learn from.

Could you please explain what happened?

shhhhh 😉

seems like it's proprietary hardware

Our signature multisig setup involves daisy-chained devices for a fantastic user experience during key generation.

This dual usb-c port daisy-chaining requires custom hardware.

You can flash onto off-the-shelf esp-32 if you so desire.

It's not air gapped.

Airgapping is overrated, a good overview here:
https://bitbox.swiss/blog/does-airgap-make-bitcoin-hardware-wallets-more-secure/

Think about how interactive keygen can verifiably includes randomness from multiple devices:

• You don't need to trust that your device generates secure randomness
• You don't need to trust that your device uses that randomness
• You don't need to trust that your devices display addresses derived from that randomness

frostsnap achieves these with a simple UX.

What will happen if you lose one of those devices? RIP your coins.

Not even close, it's a t-of-n threshold multisig.
If you create a 3-of-5 you can lose up to two devices.

Each device has a backup.
So even if you lose one, just restore it from your backup.

Why waste your sats on this when you can just write the keys down on a piece of paper?

I'd love to hear your trustless setup that non-technical people can carry out securely.
(frostsnap is it)

Yeah collaborative custodians today can see all of your UTXOs, transactions, balances.
And in theory they could even censor you (at gov request) or hold you to ransom in the event that you need their assistance to sign.

(btw with FROST we can run a service like unchained but completely private)
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-August/021917.html

Thanks for sharing your feelings, but the cryptographic literature has been around for over 20 years and is well established.

Adding/removing signers isn't so much to do with the FROST signing protocol, but rather the things we can do with the secret shares that FROST uses:

https://en.wikipedia.org/wiki/Proactive_secret_sharing

https://link.springer.com/chapter/10.1007/3-540-44750-4_27

https://github.com/chelseakomlo/talks/blob/master/2019-combinatorial-schemes/A_Survey_and_Refinement_of_Repairable_Threshold_Schemes.pdf

In terms of implementations that we engineer, yes they will require review and thorough testing, which we will achieve.

There are some structural challenges with the daisy chain being so long. There's also a power draw limit.

You can use multiple USB ports rather than just one, if it suits your situation. In the future we'll have remote app-app communication also.

where do i collect my trophy

Our dev boards can already sign posts! Did a 6-of-6 the other day

FROST requires each signing party to share a nonce, and the signing parties sign under the same agreed upon set of nonces.

You can share a whole bunch of these nonces upfront, storing them on the coordinator wallet ready for use. This way, signing can still be done in a single round.

A difference with FROST however is that you need to select the subset of signers (signer_2, signer_3, signer_5) that will be signing, from the beginning of the signing session. If this was a big deal then you could use tricks like combinations of concurrent signing sessions.