Return-Path: <aj@erisian.com.au>
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 7DF33C0032
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu, 12 Oct 2023 07:39:46 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp2.osuosl.org (Postfix) with ESMTP id 53C984012A
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu, 12 Oct 2023 07:39:46 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 53C984012A
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level: 
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
 autolearn=ham autolearn_force=no
Received: from smtp2.osuosl.org ([127.0.0.1])
 by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id IeoOm46cmnmE
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu, 12 Oct 2023 07:39:45 +0000 (UTC)
Received: from cerulean.erisian.com.au (azure.erisian.com.au [172.104.61.193])
 by smtp2.osuosl.org (Postfix) with ESMTPS id 0AAD6400AB
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu, 12 Oct 2023 07:39:44 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 0AAD6400AB
Received: from aj@azure.erisian.com.au
 by cerulean.erisian.com.au with esmtpsa (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2)
 (envelope-from <aj@erisian.com.au>)
 id 1qqqIE-0006xi-BB; Thu, 12 Oct 2023 17:39:40 +1000
Received: by email (sSMTP sendmail emulation); Thu, 12 Oct 2023 17:39:32 +1000
Date: Thu, 12 Oct 2023 17:39:32 +1000
From: Anthony Towns <aj@erisian.com.au>
To: Andrew Chow <lists@achow101.com>,
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Message-ID: <ZSeitCGbqX9paPro@erisian.com.au>
References: <c3aad7de-ec6d-407a-b33e-b52663523ef7@achow101.com>
 <ZSc0Luwg3rpNvkfJ@erisian.com.au>
 <5ebdc1ea-583e-472f-a7ff-6ae8976bf0fb@achow101.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5ebdc1ea-583e-472f-a7ff-6ae8976bf0fb@achow101.com>
X-Spam_score: -0.0
X-Spam_bar: /
Subject: Re: [bitcoin-dev] Proposed BIP for MuSig2 PSBT Fields
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Oct 2023 07:39:46 -0000

On Wed, Oct 11, 2023 at 11:59:16PM +0000, Andrew Chow via bitcoin-dev wrote:
> On 10/11/2023 07:47 PM, Anthony Towns wrote:
> > On Tue, Oct 10, 2023 at 10:28:37PM +0000, Andrew Chow via bitcoin-dev wrote:
> >> I've written up a BIP draft for MuSig2 PSBT fields. It can be viewed at
> >> https://github.com/achow101/bips/blob/musig2-psbt/bip-musig2-psbt.mediawiki.
> > 
> > I was hoping to see adaptor signature support in this; but it seems that's
> > also missing from BIP 327?
> This is the first time I've heard of that, so it wasn't something that I 
> considered adding to the BIP. Really the goal was to just be able to use 
> BIP 327.

Yeah, makes sense.

The other related thing is anti-exfil; libwally's protocol for that
(for ecdsa sigs) is described at:

 https://wally.readthedocs.io/en/release_0.8.9/anti_exfil_protocol/
 https://github.com/BlockstreamResearch/secp256k1-zkp/blob/master/include/secp256k1_ecdsa_s2c.h

Though that would probably want to have a PSBT_IN_S2C_DATA_COMMITMENT
item provided before MUSIG2_PUB_NONCE was filled in, then PSBT_IN_S2C_DATA
and PSBT_IN_NONCE_TWEAK can be provided. (Those all need to have specific
relationships in order to be secure though)

> But that doesn't preclude a future BIP that specifies how to use adaptor 
> signatures and to have additional PSBT fields for it. It doesn't look 
> like those are mutually exclusive in any way or that the fields that 
> I've proposed wouldn't still work.

Yeah, it's just that it would be nice if musig capable signers were also
capable of handling s2c/anti-exfil and tweaks/adaptor-sigs immediately,
rather than it being a "wait for the next release" thing...

> I don't know enough about the topic to really say much on whether or how 
> such fields would work.

I think for signers who otherwise don't care about these features, the
only difference is that you add the tweak to the musig nonces before
hashing/signing, which is pretty straightforward. So I think, if it were
specced, it'd be an easy win. Definitely shouldn't be a blocker though.

Here's another idea for formatting the tables fwiw:
https://github.com/ajtowns/bips/blob/d8a90cff616d6e5839748a1b2a50d32947f30850/bip-musig2-psbt.mediawiki

Cheers,
aj