Schnorr signatures: what are the limitations to amortize the interactive session configuration of MuSig?

The nonces should not be reused! In particular, in MuSig, the nonces can not be reused.
for other combinations of public keys or messages (also if everyone uses the
same public speeches all the time). This would filter the private keys.

You share the new nonces files in advance by running several rounds of signatures in parallel.
With the library you join
(secp256k1-zkp) this is
sure while keeping session states in memory and not copying them.
Serialization of the state and its storage in a persistent medium is not compatible with
secp256k1-zkp and difficult to correct, because if you accidentally use the
If not, filter the private key.

A simple way to eliminate the overload of the first two interactions
The rounds are attaching the commitment of nonce and nonce to those already existing.
Messages in your protocol. That way you would only have two parallel signatures.
Sessions

Research is being done on deterministic issues for MuSig that have
Evidence of zero knowledge that the nonce is correctly derived. With such tests
The requests can be derived from the set of signatories, their private key and the
message and there is no status to track.

Question from Musig / Schnorr – Bitcoin Stack Exchange

I am studying the MuSig protocol and I have problems to capture certain segments. This is my understanding so far:

In the current Bitcoin CHECKMULTISIG format, the size of the signature grows linearly with the number of additional "m" signers. The way in which CHECKMULTISIG works is that each signer produces its own independent signature, and we incorporate all these individual values ​​in the scriptsig. Therefore, a 3 of 5 unlock script could read [sig 1][sig 2][sig 5]… for simplicity, I will call this compilation of all individual sig values ​​the "group signature". In the given example, this signature field would be 3 times the length of a standard P2PKH.

In a "naive" Schnorr multiple signature scheme, instead of eliminating all potential public keys and [much larger] By signing the group in the block chain for the verifier calculation, we can make the signers interactively add their individual public keys in a pre-admission phase to obtain a single "aggregate" key, which is read as a synonym for a key traditional public An external member could send BTC to this aggregated key, where it would be controlled by the group members. For the group to spend, each party will create a partial signature with their unique personal keys and interactively add all these signature values ​​to create a group signature. At this point, we are left with a group signature (which is the size of a basic P2PKH signature) and an aggregate public key that is added to the block chain, which gives us great space savings. However, this scheme is insecure unless it operates under a KOSK model. We turn to another variant of Schnorr, MuSig, which can offer key aggregation securely while operating in the context of a simple public key.

The publication of the Blockstream blog of 2018 says:

Instead of limiting ourselves to one signature per entry, we can obtain a signature for the entire transaction. The aggregation of keys can not be used through multiple entries, since the outputs are committed to public keys, and can be spent independently.

I'm having trouble understanding this paragraph. I suppose you should refer to each key added in scriptsig, since the scriptpubkey of the previous sender would have required tests to unlock the tax. I'm struggling to understand how the added signature is achieved in various ticket parts.

Multi sig transactions: Does MuSig have the same security as 2-2 multisig?

Disclaimer: this question has a theoretical importance for me, try to better educate myself about the cryptographic principles and the signature schemes. I do not mean to imply that, in practice, schnorr signatures are less secure than the current 2-2 multisig transactions / scripts.

I am currently reading the document of musig and about scripts without a script. In my opinion, an important common idea in both cases seems to be able to have a single signature produced from several private keys.

Suppose I can force the private key of a public key within a reasonable time, say 1 month (for example, because I have a fairly efficient algorithm for the discrete register in ecdsa (which I do not have). I also suppose I can invert the hash function of the Bitcoin addresses quickly, or suppose that we only know the public keys because I am the third party in a security deposit service)

Would not be able to break a MuSig address within 1 month (under the previous assumption) by splitting the added private key into the added public key, while in the configuration of a common 2-2 multisig wallet it would take 2 months for to be able to provide two valid signatures since I would have to apply bruteforce both private keys independently?

Schnorr signatures: Can you get R / r in Musig only from seeds and message hashes?

I wonder if the first two round trips before revealing R / r in the MuSig signature can be moved to the keygen phase and can be made deterministic. That reduces the amount of messages that need to be exchanged; Since keygen is only done once, we want to expand that phase. This would be especially useful for HD wallets: at the cost of making the creation of the wallet more complicated, the firm would need fewer interactions.

The working document on page 10-11 specifies the following (from the perspective of signer 1):

Scheme muSig

Generation of keys

  1. generates private key xone and corresponding public key Xone
  2. send Xone
  3. receives XI

Signature (specifically the part about agreeing RI)

  1. send tone= Hcom(Rone)
  2. receive tI
  3. submitone
  4. receive RI
  5. check that Hcom(RI) == tI

rone is specified to be random.
The signature includes three rounds of interaction, two of which are used for the previous steps (agree RI).
I want to move these steps to the keygen phase.


An HD wallet would probably use BIP32 to generate Xone.
Can we use BIP32 to derive R?I/ rI as well?

Consider the following scheme instead.
(From the perspective of the co-signatories 1)

Scheme HD proposed

HD wallet configuration phase

  1. generates xprv andone and corresponding xpub Yone
  2. generates xprv kone and corresponding xpub Kone
  3. send xpub andone
  4. send youone= H (Kone)
  5. receives xpub andI
  6. he receives youI
  7. send xpub Kone
  8. receives xpub kI
  9. check that H (KI) == uI

Generation of keys

  1. of xprv andone along some BIP32 p route, derive private key xone and public key Xone
  2. of xpub andI Along the same route BIP32 p, derive the public key XI
  3. of xprv Kone On the same BIP32 p route, derive the private key jone and the public key Jone
  4. from xpub KI Along the same route BIP32 p, derive the public key JI.

Signature (specifically the part about agreeing RI)

  1. computerone= jone+ hash (m) and Rone= Jone+ hash (m) * G
  2. computerI= JI+ hash (m) * G

This approach only has one round of interaction during signing (sending messagesI, omitted as it has not changed with respect to what is described in the document).

I've read the randomization section, but the explanation of why it does not work requires RI To be chosen by the attacker. If we do it in a deterministic way, and BIP32 is safe, then this attack does not apply. The document says "every signer must ensure that every time any Rj sent by other co-signatories or the message m changes, your rI The value changes unpredictably. While f is deterministic, this implies a circular dependence on the choice of random values. "

Where is this circular dependence? The RFC 6979 f only depends on the key and m.