The paper refers to either: a) building up threshold signatures via concatenation, or. implicitly - in Bitcoin - b) by indicating that of M of N are valid, and requiring a validator to validate one of the permutations of M that signed - as opposed to a scheme, like a polynomial function, where the threshold is built in to the system.
Maybe there's another mechanism in there that I'm not aware of - because it's just too simple to mention? - Erik On Thu, Sep 13, 2018 at 2:46 PM Andrew Poelstra <apoels...@wpsoftware.net> wrote: > On Tue, Sep 11, 2018 at 01:37:59PM -0400, Erik Aronesty via bitcoin-dev > wrote: > > - Musig, by being M of M, is inherently prone to loss. > > > > It has always been possible to create M-of-N threshold MuSig signatures > for any > M, N with 0 < M ≤ N. This is (a) obvious, (b) in our paper, (c) > implemented at > > > https://github.com/apoelstra/secp256k1/blob/2018-04-taproot/src/modules/musig/main_impl.h > > -- > Andrew Poelstra > Research Director, Mathematics Department, Blockstream > Email: apoelstra at wpsoftware.net > Web: https://www.wpsoftware.net/andrew > > "Make it stop, my love; we were wrong to try > Never saw what we could unravel in traveling light > Nor how the trip debrides like a stack of slides > All we saw was that time is taller than space is wide" > --Joanna Newsom > >
_______________________________________________ bitcoin-dev mailing list email@example.com https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev