|
August 22, 2020, 05:00:30 AM |
|
Your question isn't quite clear enough for me.
For N of N no interaction for key creation is needed. The keys have to be delinearized to prevent rogue key attacks-- but musig just multiplies each key with a value computed from the hash of all the keys.
For N of M interaction and storage are fundamentally required, not just for schnorr but for other efficient threshold signatures too-- efficient being a key word.
But taproot has other ways of doing N of M: You can do a checkmultisig-like checksig-add, or you can make a tree of all the N-of-N subsets and get a script that scales linearly with the participant count. Like for a 2 of 3 with keys A, B, C... the valid possibilities are A&&B, B&&C, and C&&A.
You can even make the taproot root key one of these N of Ns, e.g. if one is most likely to get used. So essentially the size of the signature scales with the log of the probability that a given choice will be made. It's not quite as efficient but it avoids interaction and storage.
In many applications there is some sufficient N of N that is much more likely to be used than others, so in practice the efficiency gap may not be large. For example, if you have 2 of 3 with you, an offline key of yours, and some 2FA service then you normally expect the 2-of-2 involving you and the 2fa will be signing 99.99% of the time.
Unrelated to efficiency/storage-durability there is another big reason that many applications may not want to use efficient threshold signatures: They're unaccountable. If an unauthorized payment is made there is no way to prove which keys were involved.
The above alternatives to native thresholds are all inherently accountable.
A couple years back I proposed an alternative construction that I called polysig which is not supported in taproot today but could be added in a leaf version later which had size that was linear in the number of non-participating signers, relatively private (observers only learn the number of missing keys not the total number of keys) and completely accountable. But given that taproot can efficiently do the "A specific N of N" or "something else"-- there wasn't a lot of interest in going forward with completing the polysig work (e.g. formally proving its security).
|