Because it's non-interactive, this construction can produce multisig signatures offline. Each device produces a signature using it's own k-share and x-share. It's only necessary to interpolate M of n shares.

There are no round trips.

The security is Shamir + discrete log.

it's just something I've been tinkering with and I can't see an obvious problem.

It's basically the same as schnorr, but you use a threshold hash to fix the need to be online.

Just seems more useful to me.

On Sun, Jul 8, 2018, 10:33 PM Pieter Wuille <pieter.wuille@gmail.com> wrote:

On Sun, Jul 8, 2018, 19:23 Erik Aronesty via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
Pretty sure these non interactive sigs are more secure.

Schnorr signatures are provably secure in the random oracle model assuming the discrete logarithm problem is hard in the used group.

What does "more secure" mean? Is your construction secure with weaker assumptions?

--
Pieter