Schnorr and MuSign multi sig m out of n signatures?

[ibudisteanu]

Hi! Awesome work! I was wondering how do you get a multsig of m out of n, let's suppose, m is 2 and n is 3. So, I am interested to generate a multsig of 2 of 3 ? Any hints or any example that could help me out to understand how to do a 2 out of 3 multsig ? Thanks

[guggero]

Hi @ibudisteanu, thanks! What you are describing is what's called a threshold signature. I did start a branch for that (https://github.com/guggero/bip-schnorr/tree/threshold-signatures) but then I noticed that even Blockstream hadn't decided on how to implement them yet (maybe they did now?). That's why I stopped working on that. To answer your question: It's currently not possible, only n-of-n multisig is implemented.

[ibudisteanu]

Thanks for the reply. I didn't know about this issue. Now, it makes a lot of sense. The resulting point from the aggregation ( pub keys and private keys) is an independent valid point of the elliptic curve. This is why MuSig by default it supports only n-of-n multisig.

I see that one approach is to use Merkle Multisig chapter 4 https://medium.com/cryptoadvance/how-schnorr-signatures-may-improve-bitcoin-91655bcb4744

LE: Using Merkle Multisig defeats the entire purpose of MuSig

[ibudisteanu]

It looks like BLS signatures allow fast signature verification, aggregation and multisg m of n. Did you try to use BLS signatures ?

[sarvalabs-sai]

NO @ibudisteanu, BLS signature verification is slower than Schnorr's and even slower while verifying aggregated signature

[ibudisteanu]

@sarvalabs-sai I know this. My question was if BLS allows threshhold multisig without using a Merkle tree.

[sarvalabs-sai]

The curve suggests it will, not sure about this library implementation