From 9c1670f3456ef7b6fee20eca19ba922d9a1967fa Mon Sep 17 00:00:00 2001 From: Pieter Wuille Date: Fri, 25 Oct 2019 10:18:29 -0700 Subject: [PATCH] Update bip-schnorr.mediawiki Co-Authored-By: Tim Ruffing --- bip-schnorr.mediawiki | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bip-schnorr.mediawiki b/bip-schnorr.mediawiki index f8d0f47d..6830ec7f 100644 --- a/bip-schnorr.mediawiki +++ b/bip-schnorr.mediawiki @@ -155,7 +155,8 @@ It should be noted that various alternative signing algorithms can be used to pr '''Nonce exfiltration protection''' It is possible to strengthen the nonce generation algorithm using a second device. In this case, the second device contributes randomness which the actual signer provably incorporates into its nonce. This prevents certain attacks where the signer device is compromised and intentionally tries to leak the private key through its nonce selection. -'''Multisignatures''' This signature scheme is compatible with various types of multisignature and threshold schemes, where a single public key requires holders of multiple private keys to participate in signing. One example is [https://eprint.iacr.org/2018/068 MuSig], which provides a way to aggregate multiple public keys into a single one, which all of the corresponding private keys need to sign for. It is important to note that multisignature signing schemes in general ''cannot'' be used with the nonce generation from the default signing algorithm above (or any deterministic nonce algorithm). +'''Multisignatures''' This signature scheme is compatible with various types of multisignature and threshold schemes such as [https://eprint.iacr.org/2018/068 MuSig], where a single public key requires holders of multiple private keys to participate in signing (see Applications below). +'''It is important to note that multisignature signing schemes in general are insecure with the nonce generation from the default signing algorithm above (or any deterministic nonce algorithm).''' ==== Verification ====