Author: Erik Aronesty 2018-07-10 11:46:17
Published on: 2018-07-10T11:46:17+00:00
The discussion is about the implementation of multiparty Schnorr signature using musig construction. Erik Aronesty suggests replacing addition with interpolation in the musig construction. However, Gregory Maxwell raises concerns about adaptive key choice and R choice attacks in this context. Erik explains that each party only has a share of the private key and publishes a share of the public key, making it difficult to perform adaptive key attacks. The protocol involves computing and broadcasting a random number, lagrange interpolation of g^k to compute r, calculating H(r || M) and s', and then publishing (s',e,g^x'). Verification involves interpolating on m of n s' shares to get s, interpolating on m of n g^x' shares to get g^x, and standard schnorr verification. Gregory points out that naive interpolation of schnorr signatures alone is insecure against adaptive key choice and potentially adaptive R choice attacks.
Updated on: 2023-06-13T03:53:48.953886+00:00