Open earonesty opened 4 years ago
It's vulnerable since adversaries can choose their m_i freely.
Yea, looks like anything without a precommitment round to the nonce is insecure. This is why I worry about schnorr in general. pairing based sigs just seem harder to screw up and still be valid. (hash message into curve ** secret)
It seems like this solution isn't vulnerable to k-sums:
https://crypto.stackexchange.com/questions/75920/non-interactive-threshold-signature-without-bilinear-pairing-is-it-possible