Author: Erik Aronesty 2018-07-20 20:18:47
Published on: 2018-07-20T20:18:47+00:00
The email discusses a revised solution for an M of N "single sig" extension of MuSig. The solution uses MuSig's blinding factor (e) and interpolation to enhance MuSig from M of M to M of N. Each party publishes their public key G*xi, G*ki where ki is a random nonce. Xi is the parties x coordinate for interpolation. R is computed via interpolation of r1=Gk1, r2=Gk2..., and L is computed by hashing X1,X2,... X is then computed as the sum of all H(L,Xi)Xi. E is computed as standard schnorr e and not as a share using H(R | M | X). Si is computed as ki * e + xi * e and published as a share signature. To prevent a multiparty birthday attack on k, k is blinded as well. E2 is computed as H(R | M | X2), a second blinding factor. Si is computed as ki * e2 + xi * e. Finally, si, e, and e2 are published as the share signature. There is no mechanism for a birthday attack on k in this revised solution.
Updated on: 2023-06-13T03:54:01.329753+00:00