Hi ZmnSCPxj, I think you're idea of allowing multiple Rs is a fine solution as it would essentially mean that you were just doing a three party MuSig with more specific communication structure. As you mentioned, this is not quite ideal though.
> It seems to me that what is needed for a composable MuSig is to have a > commitment scheme which is composable. Maybe. Showing certain attacks don't work is a first step. It would take some deeper analysis of the security model to figure out what exactly the MuSig requires of the commitment scheme. > To create a commitment `c[A]` on the point A, such that `A = a * G`, the > committer: > > * Generates random scalars `r` and `m`. > * Computes `R` as `r * G`. > * Computes `s` as `r + h(R | m) * a`. > * Gives `c[A]` as the tuple `(R, s)`. This doesn't look binding. It's easy to find another ((A,a),m) which would validate against (R,s). Just choose m and choose a = (s - r) h(R||m)^-1. Cheers, LL _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
