You’ll typically use MuSig2 for multisig key aggregation because it has fewer communication rounds (2) and fewer complexity than FROST. The extra complexity is illustrated on this graphic (shared by niftynei on Twitter).
The MuSig2 paper (Nick, Ruffing, Seurin) additionally states:
Compared, the scope of our work is restricted to solely “n-of-n”
multi-signatures, which allows us to optimize for this case and
obtain properties which, within the pure DL setting, are distinctive to
multi-signatures, specifically non-interactive key era in addition to
non-interactive public key aggregation, two options not provided by
FROST. A significant distinction between our work and their work is the
cryptographic mannequin. The FROST safety proof depends on a non-standard
heuristic which fashions the hash operate (a public primitive) used for
deriving the coefficients for the linear mixture as a one-time VRF
(a primitive with a secret key) within the safety proof. This therapy
requires an extra communication spherical in FROST preprocessing
stage and to disallow concurrent periods on this stage, leading to
a modified scheme FROST-Interactive. As a consequence, the
FROST-Interactive scheme that’s confirmed safe is in actual fact a
three-round scheme and as such differs considerably from the
two-round FROST scheme that’s really helpful for deployment. Komlo and
Goldberg [KG20] present that the safety of FROST-Interactive is implied
by the DL assumption. In distinction, our MuSig2 proofs use the
well-established ROM (or alternatively, AGM+ROM) to mannequin the hash
operate as a random oracle and depend on a falsifiable and weaker
variant of the OMDL assumption.
Nevertheless, Jesse Posner highlighted a few advantages of FROST over MuSig2 at this Sydney Socratic. With FROST you may swap out public keys for different public keys or change the multisig scheme, say from a 3-of-3 to a 2-of-2 while not having an onchain transaction. (To do the identical with MuSig2 would want an onchain transaction and MuSig2 doesn’t assist threshold if that’s what you wished to transform to.) So in case you wished to do that this is likely to be a cause to make use of FROST over MuSig2.
Correction (June 2023): What is feasible as regards to modifying FROST signers and the brink is mentioned on this Nick Farrow gist.
This was additionally mentioned on this London BitDevs Socratic with Tim Ruffing and Elizabeth Crites. It’s difficult by there being competing distributed key era schemes and doubtlessly totally different FROST requirements between Bitcoin/BIPs and IRTF.
TR: I’m additionally undecided what Jesse is speaking about right here. I believe within the pull request there have been some discussions. What you actually can do, you may downgrade n-of-n to k-of-n. This has been mentioned. For instance swapping out a key to a brand new key, possibly Elizabeth is aware of extra, there are some key resharing schemes, I’m not likely conscious of these.
EC: Yeah. That’s what I used to be saying about doing the distributed key era once more. Say you run distributed key era as soon as and all people has their secret shares of the general group key. At the least the DKG that’s utilized in conjunction in FROST, the unique one which is what we show in our paper, it’s based mostly on Shamir’s Secret Sharing. There are some fairly customary methods to reshare utilizing Shamir. That’s attainable. It’s nonetheless non-trivial.
TR: You are able to do resharing however it’s extra like a ahead safety factor. You’ll be able to’t reshare to a completely new group of signers. You’ll nonetheless belief the outdated group of signers.
EC: You’ll be able to transition from some group of signers to a brand new group of signers additionally. There are methods to reshare the keys. Or you may preserve the identical group and reshare a sharing of zero so your shares basically keep the identical, similar group, or you may swap the group of signers. But it surely does contain performing the resharing. There’s slightly bit that must be performed there.
MuSig2 and FROST may very well be used collectively in the identical scheme. There may very well be a nested MuSig2 setup inside a FROST setup or vice versa. Moreover in case you wished to maneuver from a MuSig2 setup to a FROST setup MuSig2 keys could be transformed to FROST keys with out altering the combination public key. That’s mentioned right here.