Non-interactive threshold schnorr sig

[earonesty]

It seems like this solution isn't vulnerable to k-sums:

https://crypto.stackexchange.com/questions/75920/non-interactive-threshold-signature-without-bilinear-pairing-is-it-possible

[burdges]

It's vulnerable since adversaries can choose their m_i freely.

[earonesty]

Yea, looks like anything without a precommitment round to the nonce is insecure. This is why I worry about schnorr in general. pairing based sigs just seem harder to screw up and still be valid. (hash message into curve ** secret)