The paper refers to either:

  a) building up threshold signatures via concatenation, or. implicitly -
in Bitcoin -
  b) by indicating that of M of N are valid, and requiring a validator to
validate one of the permutations of M that signed - as opposed to a scheme,
like a polynomial function, where the threshold is built in to the system.

Maybe there's another mechanism in there that I'm not aware of - because
it's just too simple to mention?

- Erik






On Thu, Sep 13, 2018 at 2:46 PM Andrew Poelstra <apoelstra@wpsoftware.net>
wrote:

> On Tue, Sep 11, 2018 at 01:37:59PM -0400, Erik Aronesty via bitcoin-dev
> wrote:
> > - Musig, by being M of M, is inherently prone to loss.
> >
>
> It has always been possible to create M-of-N threshold MuSig signatures
> for any
> M, N with 0 < M ≤ N. This is (a) obvious, (b) in our paper, (c)
> implemented at
>
>
> https://github.com/apoelstra/secp256k1/blob/2018-04-taproot/src/modules/musig/main_impl.h
>
> --
> Andrew Poelstra
> Research Director, Mathematics Department, Blockstream
> Email: apoelstra at wpsoftware.net
> Web:   https://www.wpsoftware.net/andrew
>
> "Make it stop, my love; we were wrong to try
>  Never saw what we could unravel in traveling light
>  Nor how the trip debrides like a stack of slides
>  All we saw was that time is taller than space is wide"
>        --Joanna Newsom
>
>