Re: [Cfrg] Adoption of threshold drafts by RG

Jeff Burdges <> Wed, 30 September 2020 14:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 38BBD3A0D08 for <>; Wed, 30 Sep 2020 07:51:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.958
X-Spam-Status: No, score=-0.958 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.274, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rfQX8pLv2J6Z for <>; Wed, 30 Sep 2020 07:51:22 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8ED803A0CC3 for <>; Wed, 30 Sep 2020 07:51:18 -0700 (PDT)
Received: from [] ( [IPv6:2001:4ca0:2001:42:225:90ff:fe6b:d60]) by (Postfix) with ESMTP id C909F1C00D2; Wed, 30 Sep 2020 16:57:55 +0200 (CEST)
From: Jeff Burdges <>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.6\))
Date: Wed, 30 Sep 2020 16:51:09 +0200
References: <> <> <> <> <>
To: Ian Goldberg <>, IRTF CFRG <>
In-Reply-To: <>
Message-Id: <>
X-Mailer: Apple Mail (2.3445.9.6)
Archived-At: <>
Subject: Re: [Cfrg] Adoption of threshold drafts by RG
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Sep 2020 14:51:28 -0000


It’s quite simple and basically free to delinearize the witnesses/nonces in a Schnorr multi-signature. 

I implemented witnesses delinearization in schnorrkel’s musig way back in early January after discussing it with numerous people in Fall 2019.  We’re not actually using witnesses delinearization in production right now, but only because our wallet folks move slowly. 

It works for threshold signatures too of course, so it appears FROST adopted roughly the same trick of delinearizing the witnesses in their recent version.  If threshold confuse matters then you should consider the simpler case of musig plus witnesses delinearization first.

If you want a multi-signer Schnorr protocol then you'll need either some form of witnesses delinearization or else some fancy determinism solution like MuSig-DN.