Author: Erik Aronesty 2018-07-26 02:05:05
Published on: 2018-07-26T02:05:05+00:00
The email conversation discusses the implementation of an M-of-N "single sig" extension of MuSig without the need for new opcodes. The solution involves using MuSig's blinding factor solution and interpolation to achieve M-of-N instead of M-of-M. Each party publishes a public key and a random nonce. The x coordinate is used for interpolation purposes, while R is derived from the interpolation of G*k1, G*k2... L is obtained from H(X1,X2,...), and X is the sum of all H(L,Xi)Xi. E (a blinding factor) is computed as H(R | M | X), with si being a share of the signature and xi being the private data. (si, e) are then published as the share signature. To prevent a birthday attack on k, e2 is introduced as a second blinding factor, and (si, e, e2) is published as the share signature. Finally, any party can derive s from m of n shares by interpolating, not adding.
Updated on: 2023-06-13T03:53:06.377534+00:00