Let’s contemplate the next assumptions:
-
A pc can compute the personal key from the general public key in
nyears (withnbeing a small quantity, give or take). In fact, this assumption is extremely hypothetical and presently thought of unrealistic. -
The general public keys for multisignature accounts are identified. We assume right here that they aren’t hashed or in any other case hidden. I am additionally assuming that MuSig2 is used for multisignature accounts. That is anticipated to occur in Bitcoin, if I am not mistaken. Apart from, MuSig2 can’t be used for CISA because it solely permits a single message to be handed (inform me if I am unsuitable).
Now, since Assumption 2 holds, we are able to mixture the set of public keys utilizing MuSig2, producing a single mixture public key, AggPub.
As a result of it is a legitimate x-only public key, there are precisely two corresponding personal keys, Priv1 and Priv2, linked to AggPub. By figuring out considered one of them, you possibly can simply know the opposite by negating the primary personal key.
From Assumption 1, can we compute one of many personal keys (Priv1 or Priv2) from AggPub in the identical period of time, i.e., n years? From my perspective, sure we are able to.
In fact, Assumption 1 is simply too sturdy. But when the reply to the query is sure, it could recommend that signature compression shouldn’t be the most effective trade-off right here. In reality, this might even be exploited for zombie accounts utilizing MuSig2, permitting the unlocking of dormant funds with only a single personal key by performing a easy Schnorr signature.
