>
More closely than what?More closely than musig.
In fact there's no need to distribute the hash at all if you have the first round, you can leave the schnorr construction... thanks for the feedback. I literally can't think about this stuff without someone asking questions.
1. For those who asked, the construction from section 7.1 of this paper describes how to use lagrange interpolation in a group context:
2. Using shamir interpolation is cleaner than the additive multisig
3. Taking your comments into consideration, I think it's possible to remove the point multiplication instead of a hash and stick to Schnorr "as is", and still cut out all but one online round:
OK, so this is a new Multisig variant of schnorr with fewer rounds... I know this is possible, I just needed to have that back and forth... sorry:
For sake of terminology and typing in ascii, I'm using ^ to mean "point multiplcation"
Each party:
1. Has a public g^x
2. Computes and broadcasts g^k' ... where k' is a random number
4. Computes H(r || M), as per standard schnorr
5. Computes s' = k' - xe
, as per standard schnorr .. except k' is a "share"
6. Publish (s', e)
Verification:
With m of n share-signatures:
1. Use lagrange interpolation on m of n s' shares to get s
2. Standard schnorr verification
- Erik