Rogue Key Attack in Multi-Signatures

Alice and Bob want to create a multi-signature together.
They use the Schnorr signature scheme.

Schnorr signature equation: s = r + H(X, R, m)x
Verification: sG = R + H(X, R, m)X

Everything seems fine so far… but consider if Bob claims his key is X₂′ = X₂ − X₁ 🤔
Then the aggregate key becomes X₁ + X₂′ = X₂

which means Bob can sign alone!

➡️ That’s the rogue key attack.

(Follow-up: key aggregation schemes like MuSig fix this.)