[bitcoin-dev] Multisignature for bip-schnorr
Jonas Nick
jonasdnick at gmail.com
Fri Sep 7 08:11:56 UTC 2018
Your multisignature writeup appears to be vulnerable to key cancellation
attacks because the aggregated public key is just the sum of public keys (and
there is no proof of knowledge of the individual secret keys). Therefore, in a
multisignature between Alice and an attacker, the attacker can choose their key
to be -alice_key+attacker_key resulting in an aggregated key for which the
attacker can sign alone (without requiring Alice's partial signature). The
Schnorr BIP links to the MuSig paper which describes a secure key aggregation
scheme. See https://eprint.iacr.org/2018/068
On 8/7/18 6:35 AM, nakagat via bitcoin-dev wrote:
> Hi all,
>
> I wrote a multisignature procedure using bip-schnorr.
>
> If you have time to review and give feedback, I’d really appreciate it.
> Thanks in advance!
>
> Multisignature
> https://gist.github.com/tnakagawa/0c3bc74a9a44bd26af9b9248dfbe598b
>
> Original
> https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki#Multisignatures_and_Threshold_Signatures
>
More information about the bitcoin-dev
mailing list