Good morning Ruben,
>
> That assumes there will be a second transaction. With SAS I believe we can
> avoid that, and make it look like this:
>
> +---+
> Alice ---| |--- Bob
> Alice ---| |
> Bob ---| |
> +---+
If Alice is paying to a non-SAS aware pa
Hi ZmnSCPxj,
>Just to be clear, you mean we can use the MuSig key-combination protocol
for the non-timelocked SAS output, but (of course) not the signing protocol
which is inherently Schnorr. Then knowledge of both of the original private
keys is enough to derive the single combined private key.