Alice and Bob want to create a multi-signature together.

Everything seems fine so far… but consider if 

Bob claims his key is X₂′ = X₂ − X₁

(Follow-up: key aggregation schemes like MuSig fix this.)

bitcoin

#  Rogue Key Attack in Multi-Signatures

Alice and Bob want to create a multi-signature together.  
They use the **Schnorr signature scheme**.

---

### Reminder
Schnorr signature equation:
`s = r + H(X, R, m)x`  
Verification: `sG = R + H(X, R, m)X`

---

![](https://m.stacker.news/111352)

---

Everything seems fine so far… but consider if **Bob claims his key is X₂′ = X₂ − X₁** 🤔  
Then the aggregate key becomes 
`X₁ + X₂′ = X₂` 

which means **Bob can sign alone!**

➡️ That’s the **rogue key attack**.

---

(Follow-up: key aggregation schemes like MuSig fix this.)

---

*Follow @Bitcoin_De for more Bitcoin technical explainers.*


Rogue Key Attack in Multi-SignaturesRogue Key Attack in Multi-Signatures

ReminderReminder