Add module "musig" that implements MuSig2 multi-signatures (BIP 327) #1479
Conversation
jonasnick
force-pushed
the
musig2-module
branch
from
f5a74fd to
fb60ae9
Compare
jonasnick
force-pushed
the
musig2-module
branch
5 times, most recently
from
ab7fc1e to
eaf1e78
Compare
jonasnick
force-pushed
the
musig2-module
branch
from
eaf1e78 to
70bb685
Compare
|
Rebased on top of master to get #1480 which allowed dropping a commit. Old state is preserved at https://github.com/jonasnick/secp256k1/tree/musig2-module-backup. |
|
FWIW, we have JVM bindings on top of this branch in ACINQ/secp256k1-kmp#93 and an implementation of swap-in-potentiam (musig2 key-path with alternative delayed script path) in ACINQ/bitcoin-kmp#107 and everything is working fine, and the API is easy enough to use! |
jonasnick
force-pushed
the
musig2-module
branch
from
70bb685 to
dd4932b
Compare
|
Rebased. Thanks @t-bast, that's good to hear. |
|
Attaching a visualization for the API flow.
Edit: The above visualization is incorrect. I will update it with the correct one soon. |
| pubkeys_ptr[i] = &signers[i].pubkey; | ||
| } | ||
| printf("ok\n"); | ||
| printf("Combining public keys..."); |
There was a problem hiding this comment.
Do we recommend that users sort their pubkeys before aggregating them? The musig_pubkey_agg API documentation simply says the user "can" do it.
If we recommend the sorting step, including it in the example file would be helpful.
There was a problem hiding this comment.
I think there's no catch-all recommendation. BIP327 says "The aggregate public key produced by KeyAgg (regardless of the type) depends on the order of the individual public keys. If the application does not have a canonical order of the signers, the individual public keys can be sorted with the KeySort algorithm to ensure that the aggregate public key is independent of the order of signers."
In other words: If in your application, the collection of pubkeys (or signers represented by them) is conceptually an (ordered) list, then don't bother with sorting. If in your application, the collection of pubkeys is conceptually an (unordered) set, i.e., the application doesn't want to care about the order of pubkeys, then sort to make sure the set has a canonical serialization.
Perhaps we can explain this somewhere in more detail, either in the API docs or in the example.
There was a problem hiding this comment.
nit: I think it would be nice to including sorting in the example for the following reasons:
- It provides a practical example on how to use the sorting API
- It's a good hook for adding a comment explaining what @real-or-random just explained above. Feels a bit nicer to have that comment in the example, vs the API docs
There was a problem hiding this comment.
Added sorting and a comment.
jonasnick
force-pushed
the
musig2-module
branch
from
2017bbe to
4619706
Compare
src/modules/extrakeys/main_impl.h
Outdated
| /* Suppress wrong warning (fixed in MSVC 19.33) */ | ||
| #if defined(_MSC_VER) && (_MSC_VER < 1933) | ||
| #pragma warning(push) | ||
| #pragma warning(disable: 4090) | ||
| #endif |
There was a problem hiding this comment.
in 26dde29 ("extrakeys: add secp256k1_pubkey_sort"):
Does it make sense to move this block into the secp256k1_sort function? I ended up copying these lines while writing a secp256k1_silentpayments_recipient_sort function, which made me realize anyone else would also need to copy these lines when writing a sort function for heapsort.
There was a problem hiding this comment.
You mean into secp256k1_hsort? I'd guess the wrong warning is emitted when secp256k1_hsort is called and therefore it would be to late when the warning was disabled in secp256k1_hsort.
11 participants
EDIT: based on #1518. Closes #1452. Most of the code is a copy from libsecp256k1-zkp. The API added in this PR is identical with the exception of two modifications:
scratch_spaceargument fromsecp256k1_musig_pubkey_agg. This argument was intended to allow usingecmult_multialgorithms for key aggregation in the future. But at this point it's unclear whether thescratch_spaceobject will remain in its current form (see Rework or get rid of scratch space #1302).adaptorargument ofmusig_nonce_processwas also removed.In contrast to the module in libsecp256k1-zkp, the module is non-experimental. I slightly cleaned up parts of the module, adjusted the code to the new definition of the VERIFY_CHECK macro and applied some simplifications that were possible because the module is now in the upstream repo (
ge_from_bytes,ge_to_bytes). You can follow the changes I made to the libsecp256k1-zkp module at https://github.com/jonasnick/secp256k1-zkp/commits/musig2-upstream/.