Hi Jonas Thank you for your comment.
I wrote a new text. https://gist.github.com/tnakagawa/e6cec9a89f698997dc58a09db541e1eb If you have time, please review this. 2018年9月7日(金) 17:09 Jonas Nick <jonasdn...@gmail.com>: > > Your multisignature writeup appears to be vulnerable to key cancellation > attacks because the aggregated public key is just the sum of public keys (and > there is no proof of knowledge of the individual secret keys). Therefore, in a > multisignature between Alice and an attacker, the attacker can choose their > key > to be -alice_key+attacker_key resulting in an aggregated key for which the > attacker can sign alone (without requiring Alice's partial signature). The > Schnorr BIP links to the MuSig paper which describes a secure key aggregation > scheme. See https://eprint.iacr.org/2018/068 > > On 8/7/18 6:35 AM, nakagat via bitcoin-dev wrote: > > Hi all, > > > > I wrote a multisignature procedure using bip-schnorr. > > > > If you have time to review and give feedback, I’d really appreciate it. > > Thanks in advance! > > > > Multisignature > > https://gist.github.com/tnakagawa/0c3bc74a9a44bd26af9b9248dfbe598b > > > > Original > > https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki#Multisignatures_and_Threshold_Signatures > > _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
