That's a great point. It's been solved in musig and that doesn't change the m of n multisig construction.
You use the same musig construction where you hash all keys and sum the multiples....and use that when computing k ... the shared blinding factor.... you're still improving the system .... Getting a nice Shamir m of n multisig.... with a single signature...and all the same properties otherwise. On Thu, Jul 19, 2018, 9:11 AM Russell O'Connor <rocon...@blockstream.io> wrote: > On Thu, Jul 19, 2018 at 8:16 AM, Erik Aronesty via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > >> you can't birthday attack something where there's only a single variable >> that you can modify. >> > > When engaging in a multiparty signature, the attacker can more than one > variable to modify. When you are party to a multi-party signature (for > example, in some sort of coin-join protocol) it could be that every other > participant in the multi-party signature is, in fact, the same single > attacker representing themselves as multiple participants. This is how the > attacker gets their hands on multiple variables. > > >
_______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
