Frostsnap Coordinator
Air-gapped FROST coordinator
Passport Prime as the offline Frostsnap coordinator: run the FROST key-generation ceremony air-gapped, pair a taproot wallet, and sign PSBTs, taking the role the Frostsnap phone app normally plays, on hardened hardware.
Last updated Jun 2026

Prime holds one key share
Overview
A Frostsnap FROST coordinator that runs natively on Passport Prime. Plug Frostsnap signers into the USB-C port, run the distributed key-generation ceremony fully offline, pair the resulting wallet with any watch-only wallet via a taproot descriptor, and sign PSBTs. The Prime takes the role the Frostsnap phone app normally plays, with a hardened, air-gapped device as the ceremony anchor and trusted display.
It is a faithful port of the Frostsnap phone app’s Rust core, the same FrostCoordinator state machine and message framing, persisted as an append-only mutation log on the KeyOS filesystem instead of SQLite. The coordinator’s share-decryption factor, which makes a stolen signer useless alone, is derived from the Prime secure element’s per-app seed. Full image builds and boots on a dev Passport Prime; a new OHCI companion USB driver reaches the full-speed Frostsnap signers, pending validation against real signer hardware.
What it does
- Runs the FROST keygen ceremony fully offline: threshold selection, shares, session-hash verification, finalize.
- Exports a taproot descriptor and addresses as QR to pair any watch-only wallet.
- Signs PSBTs from QR scan or file; outputs the signed PSBT as animated UR QR or saves to Airlock.
- Ships an OHCI companion USB driver so KeyOS can reach the full-speed ESP32-C3 Frostsnap signers.
- The coordinator share-decryption factor is derived from the secure element per-app seed, so a stolen signer is useless alone.
- Can run the Prime itself as a virtual Frostsnap signer, making two physical signers plus the Prime a self-contained 2-of-3.
Technical breakdown
How the proof-of-concept is built, for developers evaluating the platform.
Faithful coordinator port
The coordinator is a faithful port of the Frostsnap phone app’s Rust core: the same FrostCoordinator state machine, message framing (bincode over serial, magic-byte handshake), and UI protocols (keygen / signing / nonce replenish), persisted as an append-only mutation log on the KeyOS filesystem instead of SQLite.
OHCI companion USB driver
Frostsnap signers are full-speed USB devices (ESP32-C3 USB-Serial-JTAG) that the EHCI-only KeyOS host stack cannot reach. A new OHCI host-controller driver takes over ports that fail to enable after reset, enumerates the device, and runs the bulk transfers. Not yet validated against real signer hardware.
Prime as a virtual signer
frostsnap_core’s device-side state machine (the same code real signers run) can run on an in-process loopback port, indistinguishable from hardware to the coordinator. Its share is encrypted with a secure-element-derived key, nonce slots ratchet before release, and wallets where the Prime’s share alone could meet the threshold are refused.
Dig into the source
README, architecture notes, and the wire protocol live in the repo.
