¹See in section “The rogue public-key attack.” in https://crypto.stanford.edu/~dabo/pubs/papers/BLSmultisig.html