fiatjaf on Nostr: > As opposed to just making a fresh 2 keys? Yes. > try do just combine signatures ...
> As opposed to just making a fresh 2 keys?
Yes.
> try do just combine signatures naively without the protections of musig2 against adversarial behaviour?
I see, that makes sense.
> Very unlikely to make sense
I think the use case is something like:
1. I have been using this raw private key in my desktop and so far it hasn't leaked, but I am afraid it will eventually leak.
2. So I split it in 2 and put one shard in a hardware wallet and the other I leave on the desktop, delete the raw key.
3. Now to sign events I need the combination of the two devices, communicating somehow to produce a signature.
(As I write this I realize it's not a very good use case, so maybe this discussion is a waste of time.)
What could go wrong? If one of the two shards is leaked to an attacker, could him find out about the other shard somehow?
Or, a more generic question: since the two shards are pre-defined by myself, are they immune to the key subtraction attack since that would require the attacker to use an entirely new key?
Yes.
> try do just combine signatures naively without the protections of musig2 against adversarial behaviour?
I see, that makes sense.
> Very unlikely to make sense
I think the use case is something like:
1. I have been using this raw private key in my desktop and so far it hasn't leaked, but I am afraid it will eventually leak.
2. So I split it in 2 and put one shard in a hardware wallet and the other I leave on the desktop, delete the raw key.
3. Now to sign events I need the combination of the two devices, communicating somehow to produce a signature.
(As I write this I realize it's not a very good use case, so maybe this discussion is a waste of time.)
What could go wrong? If one of the two shards is leaked to an attacker, could him find out about the other shard somehow?
Or, a more generic question: since the two shards are pre-defined by myself, are they immune to the key subtraction attack since that would require the attacker to use an entirely new key?