bitcoin-dev
Schnorr signatures BIP
Original Postby Andrew Poelstra
Posted on: September 3, 2018 00:05 UTC
In an email exchange, Erik Aronesty noted that the spec cannot be used directly with a Shamir scheme to produce single-round threshold multisigs.
This is because shares of point R would need to be broadcast to share participants in order to produce valid single signatures. However, (R, s) schemes can still be used online if participants publish the R(share). On the other hand, Andrew Poelstra dismissed FUD and clarified that there are no non-interactive Schnorr signatures. Andrew Poelstra is a mathematician in the Mathematics Department of Blockstream.