Your multisignature writeup appears to be vulnerable to key cancellation
attacks because the aggregated public key is just the sum of public keys (and
there is no proof of knowledge of the individual secret keys). Therefore, in a
multisignature between Alice and an attacker, the attacker can choose their key
to be -alice_key+attacker_key resulting in an aggregated key for which the
attacker can sign alone (without requiring Alice's partial signature). The
Schnorr BIP links to the MuSig paper which describes a secure key aggregation
scheme. See

On 8/7/18 6:35 AM, nakagat via bitcoin-dev wrote:
> Hi all,
> I wrote a multisignature procedure using bip-schnorr.
> If you have time to review and give feedback, I’d really appreciate it.
> Thanks in advance!
> Multisignature
> Original
bitcoin-dev mailing list

Reply via email to