Hi, thanks for all the help. I'm going to summarize again, and see if we've arrived at the correct solution for an M of N "single sig" extension of MuSig, which I think we have.
- Using MuSig's solution for the blinding to solve the Wagner attack - Using interpolation to enhance MuSig to be M of N instead of M of M References: - MuSig https://blockstream.com/2018/01/23/musig-key-aggregation-schnorr-signatures.html - HomPrf http://crypto.stanford.edu/~dabo/papers/homprf.pdf (sections 7.1 and 7.4) Each party: 1. Publishes public key G*xi 3. Xi = H(G*xi) ... Xi is the parties x coordinate, for the purposes of interpolation 3. r = G*x = via interpolation of Gx1, Gx2... (see HomPrf) 4. L = H(X1,X2,…) (see MuSig) 5. X = sum of all H(L,Xi)Xi (see MuSig) 6. Computes e = H(r | M | X) .... standard schnorr e... not a share 7. Computes si = xi - xe ... where si is a "share" of the sig, and xi is the private data 8. Publishes (si, e, G*Xi) Any party can then derive s from m of n shares, by interpolating, not adding.
_______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev