Score:2

Can one prove that a particular public key is part of an aggregated (MuSig) public key?

cn flag

The MuSig paper (2018) describes a Schnorr signature key aggregation scheme which lets a set of individual public keys to be merged into a single, "aggregated" public key.

In the protocol each individual public key creates an own signature which can be merged into the "aggregated signature". The aggregated signature will verify with the aggregated public key like the signature was created by only one key.

Is it possible to prove that a particular individual public key is part of the aggregate public key without sharing the other public keys?

Vadym Fedyukovych avatar
in flag
This signature verification algorithm requires explicit individual public keys. That means, proving some individual public key is a part of the aggregate (without releasing that individual key) assumes prover help for verifying aggregate signatures. Having said this, yes, individual key membership in the aggregate can be proved.
runeks avatar
pk flag
@VadymFedyukovych it sounds to me like OP is looking for the opposite: proving that some individual public key is part of an aggregate public key by knowing only (1) the aggregate public key, and (2) this individual public key, but not the remaining public keys (which, together with the individual public key, comprise the aggregate public key).
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.