- Musig, by being M of M, is inherently prone to loss.

- Having the senders of the G*x pubkey shares sign their messages with the
associated private key share should be sufficient to prevent them from
using wagner's algorithm to attack the combined key.   Likewise, the G*k
nonce fragments should also be signed with the pubkey shares.



On Tue, Sep 11, 2018 at 1:27 PM Gregory Maxwell <greg@xiph.org> wrote:

> On Tue, Sep 11, 2018 at 5:20 PM Erik Aronesty <erik@q32.com> wrote:
> > The security advantages of a redistributable threshold system are huge.
>  If a system isn't redistributable, then a single lost or compromised key
> results in lost coins... meaning the system is essetntially unusable.
> >
> > I'm actually worried that Bitcoin releases a multisig that encourages
> loss.
>
> There is no "non- edistributiable multisig" proposed for Bitcoin
> anywhere that I am aware of.
>