Author: Gregory Maxwell 2018-07-09 16:58:38
Published on: 2018-07-09T16:58:38+00:00
In a recent email exchange, Erik Aronesty questioned the level of security assumptions in the proposed Schnorr construction for multiparty signing compared to Musig. Musig provides instructions on using the original schnorr construction for multiparty signing, which is secure against participants adaptively choosing their keys. It works as preprocessing on the keys and then continues with the naive protocol. The verifier is the same. However, going back to using a cryptographic hash, it seems that the suggested approach is "use naive interpolation of schnorr signatures". This approach can be used with the verifier proposed in the BIP but is insecure against adaptive key choice and potentially adaptive R choice. Picking interpolation locations with the hash of each key isn't sufficient to prevent cancellation attacks due to the remarkable power of Wagner's algorithm.
Updated on: 2023-05-20T17:24:59.032565+00:00