pull down to refresh

Rogue Key Attack in Multi-Signatures

Alice and Bob want to create a multi-signature together.
They use the Schnorr signature scheme.

Reminder

Schnorr signature equation: s = r + H(X, R, m)x
Verification: sG = R + H(X, R, m)X


Everything seems fine so far… but consider if Bob claims his key is X₂′ = X₂ − X₁ 🤔
Then the aggregate key becomes X₁ + X₂′ = X₂
which means Bob can sign alone!
➡️ That’s the rogue key attack.

(Follow-up: key aggregation schemes like MuSig fix this.)

Follow @Bitcoin_De for more Bitcoin technical explainers.