burdges
commented
5 years ago It's actually worse since some developers will missuse the interface provided here, especially by using non-secret nonces thinking they'll save messages.
We implemented the three round version in https://github.com/w3f/schnorrkel/blob/master/src/musig.rs using session types to prevent users from serializing the protocol state.
lovesh
Hi Lovesh,
I noticed that you added musig to the implementation, cool! The 2-round version you implemented (which i presume you took from https://eprint.iacr.org/2018/068/20180118:124757) is unfortunately insecure (see https://eprint.iacr.org/2018/417). A fixed 3-round version was presented independently by https://eprint.iacr.org/2018/483 and in an update to the original musig paper https://eprint.iacr.org/2018/068/20180520:191909.