Shared K in multisig?

[trisel]

Now in each signature we have to specify r and s explicitly. What about choosing some "shared K value" and calculate it as kValueA*kValueB*...*kValueZ*basePoint? In this way all parties can agree on the same r and safely exchange partial s values defined as "(z+r*privKeyA)/kValueA", "(z+r*privKeyB)/kValueB", etc. Then, everyone have to divide received value by its chosen part of K and in result everyone can receive sA="(z+r*privKeyA)/(kValueA*kValueB*...*kValueZ)", sB="(z+r*privKeyB)/(kValueA*kValueB*...*kValueZ)", ..., sZ and include it in the final transaction.

[1715464549]

1715464549

[1715464549]

1715464549

[1715464549]

1715464549

[1715464549]

1715464549

[dmitrygerasimov]

Thats a bad idea, would compromise security

[ewaspiro]

Thats a bad idea, would compromise security

can you tell more?

[athanred]

everyone have to divide received value by its chosen part of K

This is insecure, because when you know some number and you know number/K, then you can calculate someone else's K.

But even if all parties could agree on some K and create such signatures, it is still not enough, because you can still calculate someone else's private key.

sA=(z+r*privKeyA)/(kValueA*kValueB)
sB=(z+r*privKeyB)/(kValueA*kValueB)
sA/sB=(z+r*privKeyA)/(z+r*privKeyB)
privKeyA=(sA/sB-z)/r
privKeyB=(sB/sA-z)/r

Everyone knows sA, sB, z and r, so everyone can calculate anyone private key if you use the same K in both signatures.

[dmitrygerasimov]

Thats a bad idea, would compromise security

can you tell more?

mathematically developed functions can calculate and backward engineer a multisig with same K to steal funds without multisig as you would be able to recover the private key from the others in the multisig wallet.