Omer Shlomovits wrote:

Hello all, I am working for the past few months with collaborators (in cc) on providing Rust reference implementations to existing multi party schemes for Schnorr signatures [1]. This includes aggregated signatures, accountable signatures (which for n out of n are multi-signatures) and threshold signatures (wip).

The project can be found here:

https://github.com/KZen-networks/multi-party-schnorr . We aim that if the protocol is run in a configuration of a single party it

will be bip-schnorr [2] compliant. Hope you’ll find it useful :)

Questions, suggestions and pull requests are welcome!

According to Devrandom, interactive signatures are not ideal for air-gapped use cases so candidates for non-interactive signatures will be more suitable for Omer’s proposal.

However, Anthony Towns suggested a way around the issue by ‘batching’ signing requests, which for interactive multisignatures, the protocol is to

produce secret nonce r, calculate public nonce R=r*G

everyone shares H(R)

everyone shares R, checks received values match received hashes

everyone calculates s = r+H(R',P',m) * p , shares s

The process is slightly different for Deterministic nonces. r is generated based on messages being signed and private keys. Also, one does not require deterministic keys in this case but the same nonce should not be used with a different message. This method will produce a similar result to interactivity.

More on the project can be found on Github on pages one and two.

Links:

• Mailing List Thread
• Multi Party Schnorr Papers
• Schnorr BIP Proposal