Add MuSig2 module #1452

issue jonasnick openend this issue on December 5, 2023
  1. jonasnick commented at 9:18 pm on December 5, 2023: contributor

    I think a module for MuSig2 would be in the scope of libsecp256k1. Its relevance for the Bitcoin ecosystem is demonstrated by several factors:

    • MuSig2 is already being adopted for Bitcoin payments.
    • I have been inquired by various Lightning and (hardware) wallet developers about if and when MuSig2 will be in libsecp.
    • Various developers of LN and (hardware) wallets have inquired about the integration of MuSig2 into libsecp and its timeline.
    • There are specifications that depend on MuSig2, such as the “simple taproot channels” BOLT and MuSig2 PSBT and descriptor BIPs.

    MuSig2 has a detailed specification (with reference code and test vectors) and security proofs.

    I suggest to copy the MuSig2 module from libsecp256k1-zkp which has already undergone significant review. I volunteer to do this. We should, however, remove the functions for MuSig2 adaptor signatures as they lack both a specification and a satisfactory security proof.

  2. jonasnick added the label feature on Dec 5, 2023
  3. jonasnick added this to the milestone 0.5.0 on Dec 5, 2023
  4. real-or-random commented at 10:00 pm on December 5, 2023: contributor

    Concept ACK

    We should, however, remove the functions for MuSig2 adaptor signatures as they lack both a specification and a satisfactory security proof.

    Makes sense.

  5. LLFourn commented at 11:50 pm on December 5, 2023: none

    We should, however, remove the functions for MuSig2 adaptor signatures as they lack both a specification and a satisfactory security proof.

    I read this and assumed it just means not peer reviewed to the same standard as the MuSig2 protocol itself not that you had found a problem with your security proof you proposed for MuSig + adaptor before. Is this right?

  6. sipa commented at 3:24 am on December 6, 2023: contributor
    Concept ACK
  7. t-bast commented at 2:08 pm on December 6, 2023: none
    Concept ACK, we’d be happy to start integrating this into lightning once that PR is opened!
  8. jonasnick commented at 8:29 am on December 7, 2023: contributor
    @LLFourn Yes that’s right. I’m not aware of any problems with the adaptor signature scheme as implemented in the secp256k1-zkp MuSig2 module. The only analysis of its security I’m aware of is this proof sketch: https://github.com/BlockstreamResearch/scriptless-scripts/blob/a8b6ff21fc7f4529eabbe639fbff49f047a3579d/md/musig2-adaptorsig.md.
  9. jonasnick commented at 3:05 pm on December 18, 2023: contributor
    I should note that the MuSig2 implementation in libsecp256k1-zkp uses a secp256k1_scratch_space in the API which affects attempts to get rid of the scratch space.
  10. real-or-random referenced this in commit 3bf4d68fc0 on Jan 17, 2024
  11. real-or-random closed this on Oct 7, 2024

  12. fanquake referenced this in commit 3660fe5e2a on Oct 7, 2024

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-21 13:15 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me