Author: AdamISZ 2023-07-24 16:51:44+00:00
Published on: 2023-07-24T16:51:44+00:00
The email discusses the use of MuSig1 and MuSig2 for avoiding the Wagner attack. It mentions the need for the 3rd round of MuSig1, which involves the R commitments. The sender also points out that the challenge c cannot be given to the server to construct s1 because it wouldn't work for blinding the final key. They suggest using c1*a1 as the challenge for signing instead. The email raises questions about whether the server can calculate 'c' and the aggregate key a1X1 + a2X2, and if it's possible to find a1 and correlate the transaction with just the quantity 'c1*a1'. The sender agrees with Jonas that there needs to be some proof that the signing request is 'well formed', possibly in the form of a ZKP of a SHA2 preimage. The sender also comments on the term 'posk' and its potential relevance to the scenario.
Updated on: 2023-08-11T15:36:51.031841+00:00