bitcoin-dev
Schnorr signatures BIP
Posted on: September 11, 2018 17:20 UTC
In a discussion thread, Erik Aronesty mentioned that he has added, removed and added back "analogous musig delinearization" multiple times but still feels unsure about it.
The security advantages of a redistributable threshold system are huge according to him. He thinks that if a system isn't redistributable then losing or compromising a single key can lead to lost coins and hence the system becomes unusable. Erik is worried about Bitcoin releasing a multisig that encourages loss. Gregory Maxwell responded to Erik's points regarding M-1 rogue-key attack, stating that adding keys in two of two signatures can reveal the discrete log of P with respect to G without violating the standard DL security assumption. He also mentioned that there is a perfect bijection between encodings of R,s versions, making them the same thing from an abstract security perspective. Different ways to prevent rogue keys were discussed such as musig paper's delinearization technique.