frost-shamir-degree-constraint

Wed Apr 01 2026

FROST uses two different methods for generating shared random numbers. Method 1 (for the shared secret $s$) uses DKG, which needs two rounds of communication. Method 2 (for the nonce $k$) uses simple aggregation, which needs just one round. So can we use method 2 for generating $s$, since it's faster?

No. Method 1 generates $n$ Shamir secret shares that let us recreate the shared secret $s$ with just $t$ of them. Method 2 creates $n$ additive secret shares, which requires all $n$ of them to recreate the shared secret $k$. The threshold property comes from Shamir sharing, and simple aggregation doesn't give you that.

Can't we just convert additive shares to Shamir shares?

Can't we use method 2 to generate $n$ additive shares of $s$, then later convert them to Shamir shares using the Lagrange coefficients $\lambda_i$?

This doesn't solve the problem. After converting $n$ additive shares to $n$ Shamir shares, the underlying polynomial will have degree $n-1$, not $t-1$. So we would still need all $n$ Shamir shares to reconstruct $s$.

In method 1, the underlying secret polynomial has degree $t-1$, so on converting these Shamir shares to additive, we only need $t$ additive shares to reconstruct the secret $s$.

Lagrange coefficients and share conversion

The Lagrange coefficient $\lambda_i$ is basically $\ell_i(0)$, the Lagrange basis polynomial for $x_i$ evaluated at zero in the interpolation formula. So we don't need to reconstruct $s$ during signing.

Additive to Shamir. Given $n$ additive shares $s_i$ such that $\sum s_i = s$. Then $S = \{(i,\; s_i / \lambda_i)\}$ are the Shamir shares that represent the same secret $s$.

Shamir to additive. Given $n$ Shamir shares $(i, s_i)$. Then $\{\lambda_i \cdot s_i\}$ are the additive shares. That is, $\sum \lambda_i \cdot s_i = s$.

Signing without reconstructing $s$

How is the Schnorr signature created without ever reconstructing the shared secret $s$? Because the additive shares $\lambda_i \cdot s_i$ (of $\alpha$ co-signers) used to generate $s$ are embedded inside the partial signatures $z_i$. When the signature aggregator combines them, it's implicitly combining these additive shares. If these were aggregated standalone, they would in fact recreate $s$.