Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 93072EE4 for ; Tue, 11 Sep 2018 17:38:16 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wm0-f46.google.com (mail-wm0-f46.google.com [74.125.82.46]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id EF493716 for ; Tue, 11 Sep 2018 17:38:15 +0000 (UTC) Received: by mail-wm0-f46.google.com with SMTP id 207-v6so1850561wme.5 for ; Tue, 11 Sep 2018 10:38:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=q32-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=R9vFr2Lng99oNJv9c40JMsHGH9qE0WOk26DiY2Z65cE=; b=jxxSy4Db9UikZIfrJjq4236WNpl330mXrrmK0mSlX/A10XzjRb2WsCUUxT5lK70Rlp PTRJbQclLfrY2fEXFhJHcUIOLnoL79AS1bJQQda+jK1ZQvTfSUFgRS/4ZT9pqyLrs0x5 bUeYW8fVeLSBH8R84IQb0l51ayQPZnZH4LJwBlroS/+mZgF4cfZ/05kaq9VXamAJDUy5 9EYXZYayE90dXj2762hsygFTW84P3GdIe0V21kSAtmgb6J7ave8iWMkbC94+kczkKZPb HlHKkOMsOSjbe+VefRSqA4YiMFYjKw3LX4kr9j0JFEuuuW12WMIEQOF3a8CA6HiWEmRV MBig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=R9vFr2Lng99oNJv9c40JMsHGH9qE0WOk26DiY2Z65cE=; b=OuUatrZxfFvLw93JbVoqed4g2Y1Wrh0xu3nW8uKeCOjZ9y7yOgd/msG8Li3AESimqU 9WFxAIlOjAu7c7Ky4ukVpephpBWXgeXiEop3vJ+MwV9g2h3Sf4hM7S/TmJMHdNZQbRCE ry6D/j6Pyxxo9GdQWwuyCIWIWJInXmlwDFIddHRzaNZceBt7h5dtMMpazH3bZ2ea6RHG C0+q0xYCRzg+Hj8RqSjV8RYodn42gFRO1sd4SwSfedj+XRpwFhvbRjmm744lVJ3rXYN+ /NdG7ePWrffq9SX1HXqwjsvXFZF/2HqtgATIgn4swfQCKz9CemtmhU9yRFUErl1UCxV2 DzTQ== X-Gm-Message-State: APzg51ALFqo2NW3vOquqBH5IDupMxjsqgh8SwYU2tTsa/hYI8pUwDZZV k21HwiNjyTnvbs6NylJaIaCu3NPAk2Pa6TRkogJMIIA= X-Google-Smtp-Source: ANB0VdbfgYdK9iP+X5gm1IgCJQMhqe6X2Xx2c0Annnny++vw0ynz3lhElEbRiO2BWqh87oHtoGI33KdF63XV+hXgPhg= X-Received: by 2002:a1c:dc41:: with SMTP id t62-v6mr2034609wmg.137.1536687494313; Tue, 11 Sep 2018 10:38:14 -0700 (PDT) MIME-Version: 1.0 References: <2e620d305c86f65cbff44b5fba548dc85c118f84.camel@timruffing.de> <20180812163734.GV499@boulet.lan> <20180903000518.GB18522@boulet.lan> In-Reply-To: From: Erik Aronesty Date: Tue, 11 Sep 2018 13:37:59 -0400 Message-ID: To: Gregory Maxwell Content-Type: multipart/alternative; boundary="0000000000003abadd05759bf07d" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Wed, 12 Sep 2018 13:40:52 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Schnorr signatures BIP X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2018 17:38:16 -0000 --0000000000003abadd05759bf07d Content-Type: text/plain; charset="UTF-8" - Musig, by being M of M, is inherently prone to loss. - Having the senders of the G*x pubkey shares sign their messages with the associated private key share should be sufficient to prevent them from using wagner's algorithm to attack the combined key. Likewise, the G*k nonce fragments should also be signed with the pubkey shares. On Tue, Sep 11, 2018 at 1:27 PM Gregory Maxwell wrote: > On Tue, Sep 11, 2018 at 5:20 PM Erik Aronesty wrote: > > The security advantages of a redistributable threshold system are huge. > If a system isn't redistributable, then a single lost or compromised key > results in lost coins... meaning the system is essetntially unusable. > > > > I'm actually worried that Bitcoin releases a multisig that encourages > loss. > > There is no "non- edistributiable multisig" proposed for Bitcoin > anywhere that I am aware of. > --0000000000003abadd05759bf07d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
- Musig, by being M of M, is inherently prone to loss= .

- Having the senders of the G*x pubkey shares si= gn their messages with the associated private key share should be sufficien= t to prevent them from using wagner's algorithm to attack the combined = key.=C2=A0=C2=A0 Likewise, the G*k nonce fragments should also be signed wi= th the pubkey shares.=C2=A0=C2=A0


<= /div>
On Tue, Sep 11, 2018 a= t 1:27 PM Gregory Maxwell <greg@xiph.or= g> wrote:
On Tue, Sep 11, 20= 18 at 5:20 PM Erik Aronesty <erik@q32.com> wrote:
> The security advantages of a redistributable threshold system are huge= .=C2=A0 =C2=A0If a system isn't redistributable, then a single lost or = compromised key results in lost coins... meaning the system is essetntially= unusable.
>
> I'm actually worried that Bitcoin releases a multisig that encoura= ges loss.

There is no "non- edistributiable multisig" proposed for Bitcoin<= br> anywhere that I am aware of.
--0000000000003abadd05759bf07d--