He also stated that he modified his protocol to address concerns rather than ignore them. However, there has been no response to his post in the Bitcointalk forum. Aronesty claims that an M-1 rogue-key attack would require the attacker to either attack the hash function to produce a predictable R based on a known message or attack the DLP to influence x or k, neither of which gives an advantage to someone with M-1 keys. However, this claim has been disputed as it is possible to construct a 2 of 2 signature by adding keys. An attack could be carried out by computing -P1 + xG to derive a key P2 and then computing P = P1 + P2 to obtain the discrete log of P with respect to G. The same attack applies with interpolation but is more complex. Wagner's algorithm provides a solution to finding a suitable subset. Rogue keys can target both the keys themselves and the nonces, but the musig paper describes a delinearization technique that prevents such attacks without additional interaction or communication. Aronesty has not tested whether the R,s version is susceptible though, but he notes that there is a perfect bijection between the two encodings.