- Musig, by being M of M, is inherently prone to loss.

- Having the senders of the G*x pubkey shares sign their messages with the associated private key share should be sufficient to prevent them from using wagner's algorithm to attack the combined key.   Likewise, the G*k nonce fragments should also be signed with the pubkey shares.  



On Tue, Sep 11, 2018 at 1:27 PM Gregory Maxwell <greg@xiph.org> wrote:
On Tue, Sep 11, 2018 at 5:20 PM Erik Aronesty <erik@q32.com> wrote:
> The security advantages of a redistributable threshold system are huge.   If a system isn't redistributable, then a single lost or compromised key results in lost coins... meaning the system is essetntially unusable.
>
> I'm actually worried that Bitcoin releases a multisig that encourages loss.

There is no "non- edistributiable multisig" proposed for Bitcoin
anywhere that I am aware of.