# [bitcoin-dev] Multiparty signatures

Erik Aronesty erik at q32.com
Fri Jul 20 17:34:29 UTC 2018

``` Hi, thanks for all the help.   I'm going to summarize again, and see if
we've arrived at the correct solution for an M of N "single sig" extension
of MuSig, which I think we have.

- Using MuSig's solution for the blinding to solve the Wagner attack
- Using interpolation to enhance MuSig to be M of N instead of M of M

References:

- MuSig
https://blockstream.com/2018/01/23/musig-key-aggregation-schnorr-signatures.html
- HomPrf http://crypto.stanford.edu/~dabo/papers/homprf.pdf (sections 7.1
and 7.4)

Each party:

1. Publishes public key G*xi
3. Xi = H(G*xi) ... Xi is the parties x coordinate, for the purposes of
interpolation
3. r = G*x = via interpolation of Gx1, Gx2... (see HomPrf)
4. L = H(X1,X2,…) (see MuSig)
5. X = sum of all H(L,Xi)Xi (see MuSig)
6. Computes e = H(r | M | X) .... standard schnorr e... not a share
7. Computes si = xi - xe ... where si is a "share" of the sig, and xi is
the private data
8. Publishes (si, e, G*Xi)

Any party can then derive s from m of n shares, by interpolating, not