Update bip-schnorr.mediawiki

sipa · real-or-random · web-flow · commit da4721cdc62b · 2019-10-25T10:18:29.000-07:00
Co-Authored-By: Tim Ruffing &lt;tim@timruffing.de&gt;
diff --git a/bip-schnorr.mediawiki b/bip-schnorr.mediawiki
@@ -155,7 +155,8 @@ It should be noted that various alternative signing algorithms can be used to pr
 
 '''Nonce exfiltration protection''' It is possible to strengthen the nonce generation algorithm using a second device. In this case, the second device contributes randomness which the actual signer provably incorporates into its nonce. This prevents certain attacks where the signer device is compromised and intentionally tries to leak the private key through its nonce selection.
 
-'''Multisignatures''' This signature scheme is compatible with various types of multisignature and threshold schemes, where a single public key requires holders of multiple private keys to participate in signing. One example is [https://eprint.iacr.org/2018/068 MuSig], which provides a way to aggregate multiple public keys into a single one, which all of the corresponding private keys need to sign for. It is important to note that multisignature signing schemes in general ''cannot'' be used with the nonce generation from the default signing algorithm above (or any deterministic nonce algorithm).
+'''Multisignatures''' This signature scheme is compatible with various types of multisignature and threshold schemes such as [https://eprint.iacr.org/2018/068 MuSig], where a single public key requires holders of multiple private keys to participate in signing (see Applications below). 
+'''It is important to note that multisignature signing schemes in general are insecure with the nonce generation from the default signing algorithm above (or any deterministic nonce algorithm).'''
 
 ==== Verification ====
 
