What Tim said is right. To add to that, you may also wish to read about
MuSig:
https://blockstream.com/2018/01/23/en-musig-key-aggregation-schnorr-signatures/
Cheers,
Ruben
On Sat, May 15, 2021 at 10:32 PM Tim Ruffing via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> On Sat, 2021
On Sat, 2021-05-15 at 12:21 +0200, vjudeu via bitcoin-dev wrote:
> All that is needed is producing a signature matching the sum of the
> public keys used in taproot, which is "(a+b-a)*G",
This is simply not true.
Taproot does not enable this, or any other form of "cross-input
aggregation", i.
We have some taproot address with private key "a" and public key "a*G", owned
by Alice. Bob wants to take Alice's coins without her permission. He owns
taproot address with private key "b" and public key "b*G". He knows "a*G" by
exploring the chain and looking for P2TR outputs. To grab Alice's f