Let’s consider the following assumptions:
-
A computer can compute the private key from the public key in
nyears (withnbeing a small number, give or take). Of course, this assumption is highly hypothetical and currently considered unrealistic. -
The public keys for multisignature accounts are known. We assume here that they are not hashed or otherwise hidden. I’m also assuming that MuSig2 is used for multisignature accounts. This is expected to happen in Bitcoin, if I’m not mistaken. Besides, MuSig2 cannot be used for CISA since it only allows a single message to be passed (tell me if I’m wrong).
Now, since Assumption 2 holds, we can aggregate the set of public keys using MuSig2, producing a single aggregate public key, AggPub.
Because it’s a valid x-only public key, there are exactly two corresponding private keys, Priv1 and Priv2, linked to AggPub. By knowing one of them, you can easily know the other by negating the first private key.
From Assumption 1, can we compute one of the private keys (Priv1 or Priv2) from AggPub in the same amount of time, i.e., n years? From my perspective, yes we can.
Of course, Assumption 1 is too strong. But if the answer to the question is yes, it would suggest that signature compression is not the best trade-off here. In fact, this could even be exploited for zombie accounts using MuSig2, allowing the unlocking of dormant funds with just a single private key by performing a simple Schnorr signature.
