bitcoin-dev
Schnorr signatures BIP
Original Postby Erik Aronesty
Posted on: September 11, 2018 17:37 UTC
In a discussion about the security advantages of a redistributable threshold system, Gregory Maxwell explained that there is no "non-redistributable multisig" proposed for Bitcoin.
However, Musig, by being M of M, is inherently prone to loss. To prevent senders of the Gx pubkey shares from using Wagner's algorithm to attack the combined key, they should sign their messages with the associated private key share. Similarly, the Gk nonce fragments should also be signed with the pubkey shares. The concern was raised that Bitcoin releases a multisig that encourages loss, but Maxwell clarified that there is no such proposal.