From 5102c95ccf05f9c70f4695abe213bd0545092735 Mon Sep 17 00:00:00 2001
From: Sander Dijkhuis <mail@sanderdijkhuis.nl>
Date: Sat, 16 Dec 2023 12:11:42 +0100
Subject: [PATCH] Option to receive message to be signed later without a
 Coordinator
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This change proposes an alternative Coordinator-less scenario:

1. Participants commit()
2. Participants receive message to be signed
3. Participants sign() and aggregate()

This is in particular relevant when the last participant in round one is the one who gets to decide the message to be signed. I don’t yet see a security disadvantage to this.
---
 draft-irtf-cfrg-frost.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/draft-irtf-cfrg-frost.md b/draft-irtf-cfrg-frost.md
index 432c051a..6fe2372a 100644
--- a/draft-irtf-cfrg-frost.md
+++ b/draft-irtf-cfrg-frost.md
@@ -1313,7 +1313,8 @@ Doing so does not change the security implications of FROST, but instead simply
 requires each participant to communicate with all other participants. We loosely
 describe how to perform FROST signing among participants without this coordinator role.
 We assume that every participant receives as input from an external source the
-message to be signed prior to performing the protocol.
+message to be signed prior to performing the protocol, or between rounds one and two
+of the protocol.
 
 Every participant begins by performing `commit()` as is done in the setting
 where a Coordinator is used. However, instead of sending the commitment