Draft: keep-core FROST/ROAST readiness branch

cmd/flags.go

@@ -308,6 +308,15 @@ func initTbtcFlags(cmd *cobra.Command, cfg *config.Config) {
 		tbtc.DefaultKeyGenerationConcurrency,
 		"tECDSA key generation concurrency.",
 	)
+
+	cmd.Flags().StringVar(
+		&cfg.Tbtc.FrostSigningBackend,
+		"tbtc.frostSigningBackend",
+		"",
+		"FROST signing backend name (legacy, native, ffi). "+
+			"`native` allows transitional legacy fallback; `ffi` requires native execution. "+
+			"Empty value selects legacy.",
+	)
 }
 
 // Initialize flags for Maintainer configuration.

cmd/flags_test.go

@@ -225,6 +225,13 @@ var cmdFlagsTests = map[string]struct {
 		expectedValueFromFlag: 101,
 		defaultValue:          runtime.GOMAXPROCS(0),
 	},
+	"tbtc.frostSigningBackend": {
+		readValueFunc:         func(c *config.Config) interface{} { return c.Tbtc.FrostSigningBackend },
+		flagName:              "--tbtc.frostSigningBackend",
+		flagValue:             "native",
+		expectedValueFromFlag: "native",
+		defaultValue:          "",
+	},
 	"maintainer.bitcoinDifficulty": {
 		readValueFunc:         func(c *config.Config) interface{} { return c.Maintainer.BitcoinDifficulty.Enabled },
 		flagName:              "--bitcoinDifficulty",

docs/rfc/rfc-20-schnorr-frost-migration-scaffold.adoc

@@ -0,0 +1,49 @@
+= RFC-20: Schnorr/FROST Migration Scaffold
+
+*Author:* Threshold Labs
+*Status:* Draft
+*Date:* 2026-02-19
+
+== Summary
+
+This RFC introduces the initial keep-core scaffolding for migrating tBTC from
+threshold ECDSA signatures to Schnorr/FROST signatures.
+
+This change does not switch runtime signing logic yet. It defines core data
+types and compatibility helpers required by follow-up protocol, chain, and
+wallet orchestration changes.
+
+== Initial Deliverables
+
+* New `pkg/frost` package with:
+** Taproot x-only output key type (`OutputKey`)
+** BIP-340 Schnorr signature type (`Signature`)
+** Serialization and logging helpers for Schnorr signatures
+** Legacy compatibility alias helper:
+`HASH160(0x02 || xOnlyOutputKey)`
+
+== Compatibility Model
+
+FROST wallets are expected to use 32-byte x-only keys as canonical identifiers.
+During migration, legacy 20-byte wallet key hash paths are supported via
+compatibility alias:
+
+----
+walletPubKeyHashCompat = HASH160(0x02 || xOnlyOutputKey)
+----
+
+== Follow-up Work
+
+1. Add FROST signer and coordinator interfaces to replace `pkg/tecdsa/signing`.
+2. Introduce FROST DKG executor replacing GG18 pre-params and DKG wiring.
+3. Update tBTC chain interfaces and wallet registry integration to accept
+   x-only keys as canonical wallet identities.
+4. Update Bitcoin transaction builders to support P2TR key-path spends.
+5. Add dual-stack runtime routing: GG18 existing wallets + FROST new wallets.
+6. Add full integration tests for mixed wallet generations and migration flows.
+
+== Non-Goals (This RFC Revision)
+
+* No production FROST coordinator implementation.
+* No on-chain contract ABI migration in this repository.
+* No replacement of existing GG18 runtime paths yet.

pkg/bitcoin/transaction_builder.go

@@ -2,6 +2,7 @@ package bitcoin
 
 import (
 	"crypto/ecdsa"
+	"encoding/hex"
 	"fmt"
 	"math/big"
 
@@ -309,6 +310,143 @@ func (tb *TransactionBuilder) TotalInputsValue() int64 {
 	return totalInputsValue
 }
 
+// ReplaceUnsignedTransaction replaces the internal unsigned transaction while
+// preserving per-input sighash metadata collected during builder input setup.
+func (tb *TransactionBuilder) ReplaceUnsignedTransaction(
+	transaction *Transaction,
+) error {
+	if transaction == nil {
+		return fmt.Errorf("transaction is nil")
+	}
+
+	if len(transaction.Inputs) != len(tb.sigHashArgs) {
+		return fmt.Errorf(
+			"input metadata mismatch: [%d] tx inputs, [%d] sighash args",
+			len(transaction.Inputs),
+			len(tb.sigHashArgs),
+		)
+	}
+
+	previousInputs := tb.internal.TxIn
+
+	replacedInternal := newInternalTransaction()
+	replacedInternal.fromTransaction(transaction)
+
+	for i := range replacedInternal.TxIn {
+		previousInput := previousInputs[i]
+		replacedInput := replacedInternal.TxIn[i]
+
+		if previousInput == nil || replacedInput == nil {
+			continue
+		}
+
+		if len(replacedInput.SignatureScript) > 0 {
+			return fmt.Errorf(
+				"replacement transaction input [%d] has unexpected non-empty signature script",
+				i,
+			)
+		}
+
+		if len(replacedInput.Witness) > 0 {
+			return fmt.Errorf(
+				"replacement transaction input [%d] has unexpected non-empty witness",
+				i,
+			)
+		}
+
+		if tb.sigHashArgs[i].witness {
+			if len(replacedInput.Witness) == 0 && len(previousInput.Witness) == 1 {
+				redeemScript := append([]byte{}, previousInput.Witness[0]...)
+				replacedInput.Witness = wire.TxWitness{redeemScript}
+			}
+		} else {
+			if len(replacedInput.SignatureScript) == 0 && len(previousInput.SignatureScript) > 0 {
+				replacedInput.SignatureScript = append(
+					[]byte{},
+					previousInput.SignatureScript...,
+				)
+			}
+		}
+	}
+
+	tb.internal = replacedInternal
+	tb.sigHashes = nil
+
+	return nil
+}
+
+// UnsignedTransaction returns the current unsigned transaction builder state.
+func (tb *TransactionBuilder) UnsignedTransaction() *Transaction {
+	return tb.internal.toTransaction()
+}
+
+// UnsignedTransactionInput carries canonical unsigned input metadata extracted
+// from the builder state.
+type UnsignedTransactionInput struct {
+	TxIDHex   string
+	Vout      uint32
+	ValueSats uint64
+}
+
+// UnsignedTransactionOutput carries canonical unsigned output metadata
+// extracted from the builder state.
+type UnsignedTransactionOutput struct {
+	ScriptPubKeyHex string
+	ValueSats       uint64
+}
+
+// UnsignedTransactionIO returns canonical unsigned transaction input/output
+// metadata from the builder state.
+func (tb *TransactionBuilder) UnsignedTransactionIO() (
+	[]UnsignedTransactionInput,
+	[]UnsignedTransactionOutput,
+	error,
+) {
+	if len(tb.internal.TxIn) != len(tb.sigHashArgs) {
+		return nil, nil, fmt.Errorf(
+			"input metadata mismatch: [%d] tx inputs, [%d] sighash args",
+			len(tb.internal.TxIn),
+			len(tb.sigHashArgs),
+		)
+	}
+
+	inputs := make([]UnsignedTransactionInput, 0, len(tb.internal.TxIn))
+	for i, input := range tb.internal.TxIn {
+		value := tb.sigHashArgs[i].value
+		if value < 0 {
+			return nil, nil, fmt.Errorf("input [%d] value is negative", i)
+		}
+
+		inputs = append(
+			inputs,
+			UnsignedTransactionInput{
+				// chainhash.Hash.String renders txid in standard Bitcoin display
+				// (RPC/explorer) byte order, i.e. reversed vs internal bytes.
+				TxIDHex:   input.PreviousOutPoint.Hash.String(),
+				Vout:      input.PreviousOutPoint.Index,
+				ValueSats: uint64(value),
+			},
+		)
+	}
+
+	outputs := make([]UnsignedTransactionOutput, 0, len(tb.internal.TxOut))
+	for i, output := range tb.internal.TxOut {
+		if output.Value < 0 {
+			return nil, nil, fmt.Errorf("output [%d] value is negative", i)
+		}
+
+		outputs = append(
+			outputs,
+			UnsignedTransactionOutput{
+				ScriptPubKeyHex: hex.EncodeToString(output.PkScript),
+				ValueSats:       uint64(output.Value),
+			},
+		)
+	}
+
+	return inputs, outputs, nil
+}
+
 // inputSigHashArgs is a helper structure holding some arguments required to
 // compute a sighash for the given input.
 type inputSigHashArgs struct {