The paper refers to either:

  a) building up threshold signatures via concatenation, or. implicitly - in Bitcoin -
  b) by indicating that of M of N are valid, and requiring a validator to validate one of the permutations of M that signed - as opposed to a scheme, like a polynomial function, where the threshold is built in to the system.

Maybe there's another mechanism in there that I'm not aware of - because it's just too simple to mention?

- Erik






On Thu, Sep 13, 2018 at 2:46 PM Andrew Poelstra <apoelstra@wpsoftware.net> wrote:
On Tue, Sep 11, 2018 at 01:37:59PM -0400, Erik Aronesty via bitcoin-dev wrote:
> - Musig, by being M of M, is inherently prone to loss.
>

It has always been possible to create M-of-N threshold MuSig signatures for any
M, N with 0 < M ≤ N. This is (a) obvious, (b) in our paper, (c) implemented at

https://github.com/apoelstra/secp256k1/blob/2018-04-taproot/src/modules/musig/main_impl.h

--
Andrew Poelstra
Research Director, Mathematics Department, Blockstream
Email: apoelstra at wpsoftware.net
Web:   https://www.wpsoftware.net/andrew

"Make it stop, my love; we were wrong to try
 Never saw what we could unravel in traveling light
 Nor how the trip debrides like a stack of slides
 All we saw was that time is taller than space is wide"
       --Joanna Newsom