On Mon, Jul 9, 2018 at 4:33 PM, Erik Aronesty <e...@q32.com> wrote: >>> with security assumptions that match the original Schnorr construction more >>> closely, >> More closely than what? > More closely than musig.
Musig is instructions on using the original schnorr construction for multiparty signing which is secure against participants adaptively choosing their keys, which is something the naive scheme of just interpolating keys and shares is vulnerable to. It works as preprocessing on the keys, then you continue on with the naive protocol. The verifier (e.g. network consensus rules) is the same. Now that you're back to using a cryptographic hash, I think what you're suggesting is "use naive interpolation of schnorr signatures" -- which you can do, including with the verifier proposed in the BIP, but doing that alone is insecure against adaptive key choice (and potentially adaptive R choice, depending on specifics which aren't clear enough to me in your description). In particular, although it seems surprising picking your interpolation locations with the hash of each key isn't sufficient to prevent cancellation attacks due to the remarkable power of wagner's algorithm. _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
