INTRO - OVERVIEW OF SCHNORR MAGIC this is a schnorr signature this is how to verify a schnorr signature this is a naive schnorr multisignature this is a naive adaptor signature this is how to do an atomic swap this is a schnorr signature this is sign-to-contract this is an anti-covert nonce sidechannel NONCES Nonce bias attacks - Bleichenbacher/Vaudenay Solution - deterministic nonces (RFC6979) But these aren't verifiable? What about hw wallets? Solution - s2c But what about replays? Solution 0. User chooses randomness. 1. User submits message and commitment to its randomness 2. HW wallet generates nonce, replies with commitment to nonce 3. User replies with own randomness 4. HW wallet replies with sig, original nonce, new nonce MULTISIGNATURES 1. "Rogue key attacks" 2. Wagner's attack 3. 2-round MuSig 4. 3-round MuSig 5. Nonce replay attacks