Why would you call it FUD? All the weird hemming and hawing about it is really strange to me. The more I look into it and speak to professors about i, the more it seems "so trivial nobody really talks about it".

1. Generate an M of N shared public key (done in advance of signing .... this gets you the bitcoin address)

2. Generate signature fragments (this can be done offline, with no communication between participants)

Detailed explanation with code snippets:

https://medium.com/@simulx/an-m-of-n-bitcoin-multisig-scheme-e7860ab34e7f

On Sun, Sep 2, 2018 at 8:05 PM Andrew Poelstra <apoelstra@wpsoftware.net> wrote:

On Wed, Aug 29, 2018 at 08:09:36AM -0400, Erik Aronesty wrote:
> Note:
>
> This spec cannot be used directly with a shamir scheme to produce
> single-round threshold multisigs, because shares of point R would need to
> be broadcast to share participants in order to produce valid single
> signatures.
>
> (R, s) schemes can still be used "online", if share participants publish
> the R(share).... but, not sure if it matter much, this choice eliminates
> offline multiparty signing in exchange for batch validation.
>

Please stop with this FUD. No tradeoff was made. There are no non-interactive
Schnorr signatures.

Andrew

--
Andrew Poelstra
Mathematics Department, Blockstream
Email: apoelstra at wpsoftware.net
Web: https://www.wpsoftware.net/andrew

"A goose alone, I suppose, can know the loneliness of geese
who can never find their peace,
whether north or south or west or east"
--Joanna Newsom