Rogue Key Attack in Multi-Signatures
Alice and Bob want to create a multi-signature together.
They use the Schnorr signature scheme.
They use the Schnorr signature scheme.
Reminder
Schnorr signature equation:
Verification:
s = r + H(X, R, m)x
Verification:
sG = R + H(X, R, m)X
Everything seems fine so far… but consider if Bob claims his key is X₂′ = X₂ − X₁ 🤔
Then the aggregate key becomes
Then the aggregate key becomes
X₁ + X₂′ = X₂
which means Bob can sign alone!
➡️ That’s the rogue key attack.
(Follow-up: key aggregation schemes like MuSig fix this.)
Follow @Bitcoin_De for more Bitcoin technical explainers.