Support frost-secp256k1-evm (frost-secp256k1 with keccak256)

[StackOverflowExcept1on]

Similar to frost-secp256k1-tr, we could add frost-secp256k1-evm. The idea is to simply replace sha256 with keccak256. In this case, we can implement frost threshold signature verification in smart contract. I checked the cost of frost-secp256k1-sha256 verification on Ethereum and it costs about 8000 gas ($0.08 for low gas and, for example, $0.8 for high gas). If you provide an implementation with keccak256, the cost will be even lower.

A few details on how to do verification in smart contract:

frost/frost-core/src/verifying_key.rs

Lines 54 to 72 in 052fb25

	pub(crate) fn verify_prehashed(
	&self,
	challenge: Challenge<C>,
	signature: &Signature<C>,
	) -> Result<(), Error<C>> {
	// Verify check is h * ( - z * B + R + c * A) == 0
	// h * ( z * B - c * A - R) == 0
	//
	// where h is the cofactor
	let zB = C::Group::generator() * signature.z;
	let cA = self.element.0 * challenge.0;
	let check = (zB - cA - signature.R) * C::Group::cofactor();
	if check == C::Group::identity() {
	Ok(())
	} else {
	Err(Error::InvalidSignature)
	}
	}

So, as you can see we need to check that zG - cA == signature.R. This can be cheaply calculated using ecrecover function in Ethereum. The only thing is that instead of point on curve, the result is an Ethereum address, but this is not a big problem. It is enough to calculate the address for signature.R and compare it with result of ecrecover. An example of implementation is given here: https://github.com/chronicleprotocol/scribe/blob/main/src/libs/LibSchnorr.sol

Thus, FROST in smart contracts opens up the possibility of creating DAO, oracles and other protocols where threshold signatures may be needed. The only drawback is the interactivity of the FROST protocol.