Schnorr signatures BIP

They both agreed that communication efficiency is important for some applications and that delinearization is a better option in those cases. For users who want an "M of N" scheme that doesn't cost more to send funds, allows them to lose a device and keep their coins, and allows them to establish and validate the scheme safely, a simple "verified signer" threshold scheme is probably the best solution. It was noted that M of M is a particular threshold, and if you want a threshold other than M of M, then you use a threshold other than M of M. There was a discussion about having the senders of the G*x pubkey shares sign their messages with the associated private key share to prevent them from using Wagner's algorithm to attack the combined key. While this is a possibility described in the musig paper, it requires users to communicate an extra signature per key. Therefore, in any case where delinearization can be used, it is a better option as it has better failure properties and eliminates the need for extra communication.