What's the current status of threshold (t-of-n) signatures in Bitcoin? Most material I've found is about musig2 for multisignatures (n-on-n).

Is actual threshold sigs possible, and with what limitations?

I know you can "cheat" by using key-path multisignature for the most common set of t signers, and separate multisignature script paths for each of the other sets.

Found this FROST project by Jesse Posner that aims to implement threshold sigs for Bitcoin:

@kalle ( @cjd boosted )
>threshold systems commonly assume “trusted dealer” where the entire secret is allowed to exist on one system temporarily during key generation, from which the shares are distributed
Looks like multisig is better to me.

AFAIK there's only FROST and it's fairly interactive. Not even sure if there's an open source implementation.

@lopp Thanks. There's only two rounds and the first round can be prepared beforehand, pretty much like MuSig2. Currently watching

Sign in to participate in the conversation
Bitcoin Mastodon

Bitcoin Maston Instance