Hi, thanks for all the help.   I'm going to summarize again, and see if we've arrived at the correct solution for an M of N "single sig" extension of MuSig, which I think we have.

- Using MuSig's solution for the blinding to solve the Wagner attack

- Using interpolation to enhance MuSig to be M of N instead of M of M

References:

 - MuSig https://blockstream.com/2018/01/23/musig-key-aggregation-schnorr-signatures.html

 - HomPrf http://crypto.stanford.edu/~dabo/papers/homprf.pdf (sections 7.1 and 7.4)

Each party:

1. Publishes public key G*xi

3. Xi = H(G*xi) ... Xi is the parties x coordinate, for the purposes of interpolation

3. r = G*x = via interpolation of Gx1, Gx2... (see HomPrf)

4. L = H(X1,X2,…) (see MuSig)

5. X = sum of all H(L,Xi)Xi (see MuSig)

6. Computes e = H(r | M | X) .... standard schnorr e... not a share

7. Computes si = xi - xe ... where si is a "share" of the sig, and xi is the private data

8. Publishes (si, e, G*Xi)

Any party can then derive s from m of n shares, by interpolating, not adding.