Multi sig transactions: Does MuSig have the same security as 2-2 multisig?

Disclaimer: this question has a theoretical importance for me, try to better educate myself about the cryptographic principles and the signature schemes. I do not mean to imply that, in practice, schnorr signatures are less secure than the current 2-2 multisig transactions / scripts.

I am currently reading the document of musig and about scripts without a script. In my opinion, an important common idea in both cases seems to be able to have a single signature produced from several private keys.

Suppose I can force the private key of a public key within a reasonable time, say 1 month (for example, because I have a fairly efficient algorithm for the discrete register in ecdsa (which I do not have). I also suppose I can invert the hash function of the Bitcoin addresses quickly, or suppose that we only know the public keys because I am the third party in a security deposit service)

Would not be able to break a MuSig address within 1 month (under the previous assumption) by splitting the added private key into the added public key, while in the configuration of a common 2-2 multisig wallet it would take 2 months for to be able to provide two valid signatures since I would have to apply bruteforce both private keys independently?

Schnorr signatures: Can you get R / r in Musig only from seeds and message hashes?

I wonder if the first two round trips before revealing R / r in the MuSig signature can be moved to the keygen phase and can be made deterministic. That reduces the amount of messages that need to be exchanged; Since keygen is only done once, we want to expand that phase. This would be especially useful for HD wallets: at the cost of making the creation of the wallet more complicated, the firm would need fewer interactions.

The working document on page 10-11 specifies the following (from the perspective of signer 1):

Scheme muSig

Generation of keys

  1. generates private key xone and corresponding public key Xone
  2. send Xone
  3. receives XI

Signature (specifically the part about agreeing RI)

  1. send tone= Hcom(Rone)
  2. receive tI
  3. submitone
  4. receive RI
  5. check that Hcom(RI) == tI

rone is specified to be random.
The signature includes three rounds of interaction, two of which are used for the previous steps (agree RI).
I want to move these steps to the keygen phase.


An HD wallet would probably use BIP32 to generate Xone.
Can we use BIP32 to derive R?I/ rI as well?

Consider the following scheme instead.
(From the perspective of the co-signatories 1)

Scheme HD proposed

HD wallet configuration phase

  1. generates xprv andone and corresponding xpub Yone
  2. generates xprv kone and corresponding xpub Kone
  3. send xpub andone
  4. send youone= H (Kone)
  5. receives xpub andI
  6. he receives youI
  7. send xpub Kone
  8. receives xpub kI
  9. check that H (KI) == uI

Generation of keys

  1. of xprv andone along some BIP32 p route, derive private key xone and public key Xone
  2. of xpub andI Along the same route BIP32 p, derive the public key XI
  3. of xprv Kone On the same BIP32 p route, derive the private key jone and the public key Jone
  4. from xpub KI Along the same route BIP32 p, derive the public key JI.

Signature (specifically the part about agreeing RI)

  1. computerone= jone+ hash (m) and Rone= Jone+ hash (m) * G
  2. computerI= JI+ hash (m) * G

This approach only has one round of interaction during signing (sending messagesI, omitted as it has not changed with respect to what is described in the document).

I've read the randomization section, but the explanation of why it does not work requires RI To be chosen by the attacker. If we do it in a deterministic way, and BIP32 is safe, then this attack does not apply. The document says "every signer must ensure that every time any Rj sent by other co-signatories or the message m changes, your rI The value changes unpredictably. While f is deterministic, this implies a circular dependence on the choice of random values. "

Where is this circular dependence? The RFC 6979 f only depends on the key and m.