Your multisignature writeup appears to be vulnerable to key cancellation attacks because the aggregated public key is just the sum of public keys (and there is no proof of knowledge of the individual secret keys). Therefore, in a multisignature between Alice and an attacker, the attacker can choose their key to be -alice_key+attacker_key resulting in an aggregated key for which the attacker can sign alone (without requiring Alice's partial signature). The Schnorr BIP links to the MuSig paper which describes a secure key aggregation scheme. See https://eprint.iacr.org/2018/068
On 8/7/18 6:35 AM, nakagat via bitcoin-dev wrote: > Hi all, > > I wrote a multisignature procedure using bip-schnorr. > > If you have time to review and give feedback, I’d really appreciate it. > Thanks in advance! > > Multisignature > https://gist.github.com/tnakagawa/0c3bc74a9a44bd26af9b9248dfbe598b > > Original > https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki#Multisignatures_and_Threshold_Signatures > _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
