I think a module for MuSig2 would be in the scope of libsecp256k1. Its relevance for the Bitcoin ecosystem is demonstrated by several factors:
- MuSig2 is already being adopted for Bitcoin payments.
- I have been inquired by various Lightning and (hardware) wallet developers about if and when MuSig2 will be in libsecp.
- Various developers of LN and (hardware) wallets have inquired about the integration of MuSig2 into libsecp and its timeline.
- There are specifications that depend on MuSig2, such as the “simple taproot channels” BOLT and MuSig2 PSBT and descriptor BIPs.
MuSig2 has a detailed specification (with reference code and test vectors) and security proofs.
I suggest to copy the MuSig2 module from libsecp256k1-zkp which has already undergone significant review. I volunteer to do this. We should, however, remove the functions for MuSig2 adaptor signatures as they lack both a specification and a satisfactory security proof.