 My name is Elizabeth Kreitz, and I'm going to be talking about the security of non-interactive threshold signatures. This is joint work with Mahir Balare, Chelsea Komlo, Mary Mallor, Stefano Tisaro, and Chenzi Zhu. Threshold signatures allow multiple parties to sign a message where some threshold of them is required to sign. They're important for distributing trust because if we have a single key, this represents a single point of failure. However, if we distribute the key amongst multiple parties, then we can tolerate some fraction of corrupt signers. This is important because threshold signatures are being used to secure cryptocurrency wallets. Threshold cryptography more generally is being standardized through NIST, as well as specific schemes like Frost. Our focus in this work is on non-interactive threshold signatures. Consider an example where two out of three parties are required to sign. A user called the leader requests a signature on a message M from these two parties. Each party produces a partial signature, which they then send to the leader. The leader combines these partial signatures into a final signature representing the group. Examples of fully non-interactive schemes include threshold BLS and threshold RSA. But what about discrete log-based schemes, in particular ones that are pairing free? Currently, there do not exist any fully non-interactive schemes. However, for Schnorr signatures, there is the two-round Frost threshold signature scheme. This consists of a single message independent preprocessing, followed by a single signing round. We refer to this as partially non-interactive. There is a scheme for ECDSA, which also consists of a single message dependent signing round. However, it also includes multiple message independent preprocessing rounds, which we do not cover. In this paper, we provide a formal framework for partially non-interactive threshold signatures. We provide a formal syntax, as well as a hierarchy of security notions. Our framework can be applied to BLS, Frost, and other schemes. But why is this framework needed? Prior to this work, there existed no formalization for partially non-interactive schemes. So we provide the first formal syntax. We also show that existing security notions are weaker than what schemes can actually achieve. So we provide a fine-grained security hierarchy with stronger notions of security. We note that the original proof for Frost relied on heuristic assumptions. So we analyze the security of Frost based on our security hierarchy. We also analyze the security of BLS and show that it achieves a stronger notion of security, which is implied by the concurrent work of Young's growth. In this talk, we're going to focus on the Frost scheme. Our concrete contributions are as follows. We present Frost 2, an optimized version of the original Frost scheme that we call Frost 1. Frost 2 reduces the number of exponentiations required for signing from T to 1. We prove the security of both Frost 1 and Frost 2 under the one more discrete logarithm assumption in the random oracle model. This assumes a trusted DKG. We prove the security of Frost 2 together with the distributed key generation protocol proposed in the original Frost paper. This allows any number of corrupt signers up to T-1. In particular, it allows a dishonest majority. Finally, our security hierarchy reveals a separation in the notions of security achieved by Frost 1 and Frost 2. To conclude, both schemes achieve some of the highest notions of security in our framework.