> More closely than what?

More closely than musig.   

In fact there's no need to distribute the hash at all if you have the first round, you can leave the schnorr construction... thanks for the feedback.  I literally can't think about this stuff without someone asking questions.

1. For those who asked, the construction from section 7.1 of this paper describes how to use lagrange interpolation in a group context:
        http://crypto.stanford.edu/~dabo/papers/homprf.pdf

2. Using shamir interpolation is cleaner than the additive multisig

3. Taking your comments into consideration, I think it's possible to remove the point multiplication instead of a hash and stick to Schnorr "as is", and still cut out all but one online round:

OK, so this is a new Multisig variant of schnorr with fewer rounds... I know this is possible, I just needed to have that back and forth... sorry:

For sake of terminology and typing in ascii, I'm using ^ to mean "point multiplcation"

Each party:

1. Has a public g^x 
2. Computes and broadcasts g^k' ... where k' is a random number
3. Computes r = g^k using lagrange interpolation (see  http://crypto.stanford.edu/~dabo/papers/homprf.pdf)
4. Computes H(r || M), as per standard schnorr
5. Computes s' = k' - xe , as per standard schnorr .. except k' is a "share"
6. Publish (s', e)

Verification:

With m of n share-signatures:

1. Use lagrange interpolation on m of n s' shares to get s
2. Standard schnorr verification

- Erik




On Mon, Jul 9, 2018 at 11:59 AM, Gregory Maxwell <greg@xiph.org> wrote:
On Mon, Jul 9, 2018 at 3:02 PM, Erik Aronesty via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
> with
> security assumptions that match the original Schnorr construction more
> closely,

More closely than what?