Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add MuSig2 module #1452

Closed
jonasnick opened this issue Dec 5, 2023 · 6 comments · Fixed by #1479
Closed

Add MuSig2 module #1452

jonasnick opened this issue Dec 5, 2023 · 6 comments · Fixed by #1479
Labels
Milestone

Comments

@jonasnick
Copy link
Contributor

I think a module for MuSig2 would be in the scope of libsecp256k1. Its relevance for the Bitcoin ecosystem is demonstrated by several factors:

  • MuSig2 is already being adopted for Bitcoin payments.
  • I have been inquired by various Lightning and (hardware) wallet developers about if and when MuSig2 will be in libsecp.
  • Various developers of LN and (hardware) wallets have inquired about the integration of MuSig2 into libsecp and its timeline.
  • There are specifications that depend on MuSig2, such as the "simple taproot channels" BOLT and MuSig2 PSBT and descriptor BIPs.

MuSig2 has a detailed specification (with reference code and test vectors) and security proofs.

I suggest to copy the MuSig2 module from libsecp256k1-zkp which has already undergone significant review. I volunteer to do this. We should, however, remove the functions for MuSig2 adaptor signatures as they lack both a specification and a satisfactory security proof.

@jonasnick jonasnick added this to the 0.5.0 milestone Dec 5, 2023
@real-or-random
Copy link
Contributor

Concept ACK

We should, however, remove the functions for MuSig2 adaptor signatures as they lack both a specification and a satisfactory security proof.

Makes sense.

@LLFourn
Copy link

LLFourn commented Dec 5, 2023

We should, however, remove the functions for MuSig2 adaptor signatures as they lack both a specification and a satisfactory security proof.

I read this and assumed it just means not peer reviewed to the same standard as the MuSig2 protocol itself not that you had found a problem with your security proof you proposed for MuSig + adaptor before. Is this right?

@sipa
Copy link
Contributor

sipa commented Dec 6, 2023

Concept ACK

@t-bast
Copy link

t-bast commented Dec 6, 2023

Concept ACK, we'd be happy to start integrating this into lightning once that PR is opened!

@jonasnick
Copy link
Contributor Author

@LLFourn Yes that's right. I'm not aware of any problems with the adaptor signature scheme as implemented in the secp256k1-zkp MuSig2 module. The only analysis of its security I'm aware of is this proof sketch: https://github.com/BlockstreamResearch/scriptless-scripts/blob/a8b6ff21fc7f4529eabbe639fbff49f047a3579d/md/musig2-adaptorsig.md.

@jonasnick
Copy link
Contributor Author

I should note that the MuSig2 implementation in libsecp256k1-zkp uses a secp256k1_scratch_space in the API which affects attempts to get rid of the scratch space.

real-or-random added a commit that referenced this issue Jan 17, 2024
e682267 build: Error if required module explicitly off (Tim Ruffing)
89ec583 build: Clean up handling of module dependencies (Tim Ruffing)

Pull request description:

  This is a cleanup which makes it easier to add further modules with dependencies, e.g., in #1452. The diff looks larger than it is because I also reordered the modules and made the order consistent between CMake and autotools.

  (We noticed that the current logic could be improved in BlockstreamResearch/secp256k1-zkp#275.)

ACKs for top commit:
  jonasnick:
    ACK e682267
  hebasto:
    ACK e682267.

Tree-SHA512: 040e791e5b5b9b8845a39632633a45ca759391455910bdefba2b7b77c6340e65df6eda18199ae2ad65c30ee2fc6630471437aec143c26fe09ae4c11409a37622
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants