That's a great point.  It's been solved in musig and that doesn't change
the m of n multisig construction.

You use the same musig construction where you hash all keys and sum the
multiples....and use that when computing k ... the shared blinding
factor.... you're still improving the system .... Getting a nice Shamir m
of n multisig.... with a single signature...and all the same properties
otherwise.


On Thu, Jul 19, 2018, 9:11 AM Russell O'Connor <roconnor@blockstream.io>
wrote:

> On Thu, Jul 19, 2018 at 8:16 AM, Erik Aronesty via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>>  you can't birthday attack something where there's only a single variable
>> that you can modify.
>>
>
> When engaging in a multiparty signature, the attacker can more than one
> variable to modify.  When you are party to a multi-party signature (for
> example, in some sort of coin-join protocol) it could be that every other
> participant in the multi-party signature is, in fact, the same single
> attacker representing themselves as multiple participants.  This is how the
> attacker gets their hands on multiple variables.
>
>
>