1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
Return-Path: <jonasd.nick@gmail.com>
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
by lists.linuxfoundation.org (Postfix) with ESMTP id 1E51DC0032
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 12 Oct 2023 07:43:26 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp4.osuosl.org (Postfix) with ESMTP id 05255416A2
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 12 Oct 2023 07:43:26 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 05255416A2
Authentication-Results: smtp4.osuosl.org;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.a=rsa-sha256 header.s=20230601 header.b=bSK7rQIR
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Received: from smtp4.osuosl.org ([127.0.0.1])
by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id AfRw8jA65_Xp
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 12 Oct 2023 07:43:25 +0000 (UTC)
Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com
[IPv6:2a00:1450:4864:20::32e])
by smtp4.osuosl.org (Postfix) with ESMTPS id DEED641695
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 12 Oct 2023 07:43:24 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org DEED641695
Received: by mail-wm1-x32e.google.com with SMTP id
5b1f17b1804b1-406618d0991so6967875e9.2
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 12 Oct 2023 00:43:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1697096603; x=1697701403;
darn=lists.linuxfoundation.org;
h=content-transfer-encoding:in-reply-to:from:references:to
:content-language:subject:user-agent:mime-version:date:message-id
:sender:from:to:cc:subject:date:message-id:reply-to;
bh=mFOZadgBj7ZmcmYSBnUzbsZaNTUkXKMpo2lUSaVMgjI=;
b=bSK7rQIR3ESAKYkEckZ1PYVoK0BkdESQlgX2dxq7UDMMJS+K3dddBns7L710XLRwg4
dn6SoUNbQgUpbk3SvoT0OkY0uLUJJKZltK8sp50Xy/CTjaKFC1hUVb+FzJmfpggMkZWc
YexAgu3eKu33XNJ3WMnX/VXAk2Mt77J+sjBPLmZdQ0f7e7DeGZmV3W2fxMuptpiOx/8v
yjvgtHqUpIGiRlEDUD+6NUMCB87N25FjBdhIyxyAfY0LZLpVjdMJQ97v6KeaPnEFseVu
SF3K7bx8osfnvjMCyRz2Bz4ESUFSdm0fsy0ppjv2mgh8/5yKi2H2fIK/6fpemEfVxXIU
EFJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1697096603; x=1697701403;
h=content-transfer-encoding:in-reply-to:from:references:to
:content-language:subject:user-agent:mime-version:date:message-id
:sender:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=mFOZadgBj7ZmcmYSBnUzbsZaNTUkXKMpo2lUSaVMgjI=;
b=u7nJeX3Rq06L8EyE+DjPwKdbz/ftlFz5+noHE7r5pe+rQ9UcI0Bi5NsxJ30K5XT1ih
CMzznkRLmLipycxVK7I0wHMwYCWrI+ThEvmzBx+827hI14D7PhfKbkkza/74I2kFlDMG
IVq4PW2M/moxPcc5lmW5rzd+0FsBUGaLLPSgxi7w4zoJP+4BceenbDL0S2tojBV5GRgj
uLwZSTNcRe/o5cr9NWvtPvH6uvgzZIoAfrD79o8WTJbcR/X0kcswoa3jYHd0h5KgAB5q
uFnsNtkG7Ra6c8kZNhQPgVHzgvjxDL3sF5Tasc+F3I1ssLPfp3aOshjj+fgPPWQbnG9Q
dRbg==
X-Gm-Message-State: AOJu0YyJpWubLQitRzal5d+bQ6tJf8wT1lWDil7nPmdrQjF7bphilHlY
blqpzgvBDsZMY62vfTAYTNbNTS/szEs=
X-Google-Smtp-Source: AGHT+IFFPTk0liH+493fUi+0K/jNcc+wJLUon34p6ouL6OV2LyYOVnGbAdMhTck87bNHQ5EEdHLgYQ==
X-Received: by 2002:a05:600c:3652:b0:3fb:a0fc:1ba1 with SMTP id
y18-20020a05600c365200b003fba0fc1ba1mr21743723wmq.35.1697096602578;
Thu, 12 Oct 2023 00:43:22 -0700 (PDT)
Received: from [10.11.10.42] (p54b84377.dip0.t-ipconnect.de. [84.184.67.119])
by smtp.googlemail.com with ESMTPSA id
bd5-20020a05600c1f0500b004030e8ff964sm21346537wmb.34.2023.10.12.00.43.22
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Thu, 12 Oct 2023 00:43:22 -0700 (PDT)
Sender: Jonas Nick <jonasdnick@gmail.com>
Message-ID: <fd7bf294-8f5a-48fc-a415-1f1706b51434@gmail.com>
Date: Thu, 12 Oct 2023 07:43:21 +0000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Anthony Towns <aj@erisian.com.au>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>,
Andrew Chow <lists@achow101.com>
References: <c3aad7de-ec6d-407a-b33e-b52663523ef7@achow101.com>
<ZSc0Luwg3rpNvkfJ@erisian.com.au>
From: Jonas Nick <jonasd.nick@gmail.com>
In-Reply-To: <ZSc0Luwg3rpNvkfJ@erisian.com.au>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Thu, 12 Oct 2023 19:13:35 +0000
Subject: Re: [bitcoin-dev] Proposed BIP for MuSig2 PSBT Fields
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Oct 2023 07:43:26 -0000
It is true that BIP 327 ("MuSig2") does not include adaptor signatures. The
rationale behind this decision was as follows:
- the BIP is already long and complicated enough without adaptor signatures; it
should be possible to propose a separate adaptor signature BIP on top in a
modular fashion
- as far as I know, there's no security proof except for a hard-to-follow sketch
that I wrote a few years ago [0]
- at the time, there seemed to be a higher demand for single-signer adaptor
signatures
In spite of the missing specification, we added some version of adaptor
signatures to the libsecp256k1-zkp MuSig2 module in order to allow
experimentation.
As for standardizing MuSig2 adaptor signatures, it seems noteworthy that there
exist alternative designs to the implementation in the libsecp256k1-zkp module:
the current libsecp256k1-zkp PR for (single-signer) Schnorr adaptor signatures
[1] uses a slightly different API. Instead of sending the adaptor point along
with the adaptor signature, the point is extracted from an adaptor signature.
This simplifies the API and reduces communication at the cost of making batch
verification of multiple adaptor sigs impossible.
[0] https://github.com/BlockstreamResearch/scriptless-scripts/pull/24
[1] https://github.com/BlockstreamResearch/secp256k1-zkp/pull/268
|