I wonder if the first two round trips before revealing R / r in the MuSig signature can be moved to the keygen phase and can be made deterministic. That reduces the amount of messages that need to be exchanged; Since keygen is only done once, we want to expand that phase. This would be especially useful for HD wallets: at the cost of making the creation of the wallet more complicated, the firm would need fewer interactions.

The working document on page 10-11 specifies the following (from the perspective of signer 1):

## Scheme muSig

**Generation of keys**

- generates private key x
_{one} and corresponding public key X_{one}
- send X
_{one}
- receives X
_{I}

**Signature (specifically the part about agreeing R**_{I})

- send t
_{one}= H_{com}(R_{one})
- receive t
_{I}
- submit
_{one}
- receive R
_{I}
- check that H
_{com}(R_{I}) == t_{I}

r_{one} is specified to be random.

The signature includes three rounds of interaction, two of which are used for the previous steps (agree R_{I}).

I want to move these steps to the keygen phase.

An HD wallet would probably use BIP32 to generate X_{one}.

Can we use BIP32 to derive R?_{I}/ r_{I} as well?

Consider the following scheme instead.

(From the perspective of the co-signatories 1)

## Scheme HD proposed

**HD wallet configuration phase**

- generates xprv and
_{one} and corresponding xpub Y_{one}
- generates xprv k
_{one} and corresponding xpub K_{one}
- send xpub and
_{one}
- send you
_{one}= H (K_{one})
- receives xpub and
_{I}
- he receives you
_{I}
- send xpub K
_{one}
- receives xpub k
_{I}
- check that H (K
_{I}) == u_{I}

**Generation of keys**

- of xprv and
_{one} along some BIP32 p route, derive private key x_{one} and public key X_{one}
- of xpub and
_{I} Along the same route BIP32 p, derive the public key X_{I}
- of xprv K
_{one} On the same BIP32 p route, derive the private key j_{one} and the public key J_{one}
- from xpub K
_{I} Along the same route BIP32 p, derive the public key J_{I}.

**Signature (specifically the part about agreeing R**_{I})

- computer
_{one}= j_{one}+ hash (m) and R_{one}= J_{one}+ hash (m) * G
- computer
_{I}= J_{I}+ hash (m) * G

This approach only has one round of interaction during signing (sending messages_{I}, omitted as it has not changed with respect to what is described in the document).

I've read the randomization section, but the explanation of why it does not work requires R_{I} To be chosen by the attacker. If we do it in a deterministic way, and BIP32 is safe, then this attack does not apply. The document says "every signer must ensure that every time any R_{j} sent by other co-signatories or the message m changes, your r_{I} The value changes unpredictably. While f is deterministic, this implies a circular dependence on the choice of random values. "

Where is this circular dependence? The RFC 6979 f only depends on the key and m.