Let’s think about the next assumptions:
-
A pc can compute the personal key from the general public key in
nyears (withnbeing a small quantity, give or take). After all, this assumption is very hypothetical and presently thought of unrealistic. -
The general public keys for multisignature accounts are identified. We assume right here that they don’t seem to be hashed or in any other case hidden. I am additionally assuming that MuSig2 is used for multisignature accounts. That is anticipated to occur in Bitcoin, if I am not mistaken. Apart from, MuSig2 can’t be used for CISA because it solely permits a single message to be handed (inform me if I am fallacious).
Now, since Assumption 2 holds, we will mixture the set of public keys utilizing MuSig2, producing a single mixture public key, AggPub.
As a result of it is a legitimate x-only public key, there are precisely two corresponding personal keys, Priv1 and Priv2, linked to AggPub. By realizing one in all them, you may simply know the opposite by negating the primary personal key.
From Assumption 1, can we compute one of many personal keys (Priv1 or Priv2) from AggPub in the identical period of time, i.e., n years? From my perspective, sure we will.
After all, Assumption 1 is just too sturdy. But when the reply to the query is sure, it might counsel that signature compression just isn’t one of the best trade-off right here. In reality, this might even be exploited for zombie accounts utilizing MuSig2, permitting the unlocking of dormant funds with only a single personal key by performing a easy Schnorr signature.
