Skip to content

Instantly share code, notes, and snippets.

@michaelfolkson

michaelfolkson/london-musig2-socratic-july-2022.md

Last active September 8, 2022 10:54
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save michaelfolkson/5bfffa71a93426b57d518b09ebd0998c to your computer and use it in GitHub Desktop.
Save michaelfolkson/5bfffa71a93426b57d518b09ebd0998c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
london-musig2-socratic-july-2022.md

London Bitcoin Devs links for Socratic on MuSig2 w/ Tim Ruffing

August 11th 2022 (previously July 28th 2022, rescheduled)

Transcript: https://btctranscripts.com/london-bitcoin-devs/2022-08-11-tim-ruffing-musig2/

YouTube link: https://www.youtube.com/watch?v=TpyK_ayKlj0

Meetup link: https://www.meetup.com/bitdevsldn/events/286583988

Previous presentations

London Socratic on BIP Schnorr (2020): https://btctranscripts.com/london-bitcoin-devs/2020-06-16-socratic-seminar-bip-schnorr/

Tim Ruffing at London Bitcoin Devs on Taproot and Schnorr Multisig (2020): https://btctranscripts.com/london-bitcoin-devs/2020-06-17-tim-ruffing-schnorr-multisig/

Tim Ruffing at Real World Crypto (2021): https://btctranscripts.com/realworldcrypto/2021/2021-01-12-tim-ruffing-musig2/

Jonas Nick at IACR (2021): https://btctranscripts.com/iacr/2021-08-16-jonas-nick-musig2/

What is MuSig?

Bitcoin Optech Topics page on MuSig: https://bitcoinops.org/en/topics/musig/

Optech Taproot workshop on MuSig: https://github.com/bitcoinops/taproot-workshop/blob/master/1.2-musig.ipynb

Journey from MuSig1, MuSig-DN to MuSig2

Bellare, Neven paper (2006): https://cseweb.ucsd.edu/~mihir/papers/multisignatures.pdf

Insecure shortcuts in MuSig1: https://medium.com/blockstream/insecure-shortcuts-in-musig-2ad0d38a97da

robot-dreams Python implementation of insecure MuSig1: https://github.com/robot-dreams/insecure-musig

Blog post on MuSig-DN: https://medium.com/blockstream/musig-dn-schnorr-multisignatures-with-verifiably-deterministic-nonces-27424b5df9d6

Comparing MuSig1, MuSig-DN, MuSig2: https://bitcoin.stackexchange.com/questions/98845/which-musig-scheme-is-optimal-classic-musig-or-this-new-musig-dn-scheme/

Blog post on MuSig2: https://medium.com/blockstream/musig2-simple-two-round-schnorr-multisignatures-bf9582e99295

MuSig2 BIP: https://github.com/jonasnick/bips/blob/musig2/bip-musig2.mediawiki

Discussion of the MuSig2 BIP on the bitcoin-dev mailing list: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-April/020198.html

Further discussion of the MuSig2 BIP on the bitcoin-dev mailing list: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-May/020508.html

Design decisions (e.g. duplicate public keys): BlockstreamResearch/secp256k1-zkp#120 (comment)

Alternative ways of addressing the rogue key attack?: https://crypto.stackexchange.com/questions/93818/musig-could-the-rogue-key-attack-be-mitigated-by-using-commitments-instead-of-k

Paper which references Speedy MuSig2: https://eprint.iacr.org/2021/1375.pdf

Comparing MuSig2 with Speedy MuSig2: https://bitcoin.stackexchange.com/questions/114244/how-does-speedymusig-compare-to-musig2

Optech preparing for Taproot (multisig): https://bitcoinops.org/en/newsletters/2021/08/04/

Follow up discussion from Optech on IRC: https://gnusha.org/secp256k1/2021-08-04.log

Reusing Key Aggregation function for CISA?: BlockstreamResearch/secp256k1-zkp#120 (comment)

MuSig2 in libsecp256k1

Scope of libsecp256k1 library: bitcoin-core/secp256k1#997

Issue on how to use libsecp256k1: bitcoin-core/secp256k1#224

Defining the libsecp256k1 API: https://bitcoin.stackexchange.com/questions/112223/how-is-the-secp256k1-api-defined-in-what-ways-is-it-restricted

Bitcoin Core PR review club on libsecp256k1 usage examples: https://bitcoincore.reviews/libsecp256k1-748

MuSig2 in secp256k-zkp: https://github.com/ElementsProject/secp256k1-zkp/blob/master/include/secp256k1_musig.h

MuSig2 test vectors: https://github.com/ElementsProject/secp256k1-zkp/blob/master/src/modules/musig/tests_impl.h

More MuSig2 test vectors: https://github.com/jonasnick/bips/blob/168699e3ec54a99320a70055f20e8e87baf2fe75/bip-musig2/sign_verify_vectors.json#L120

JSON test vectors: jonasnick/bips#33

Nonce generation PR: BlockstreamResearch/secp256k1-zkp#192

Other implementations of MuSig2

MuSig2 in Python: https://github.com/jonasnick/bips/blob/musig2/bip-musig2/reference.py

meshcollider MuSig2 in Python: https://github.com/meshcollider/musig2-py

MuSig2 in btcd: btcsuite/btcd#1820

MuSig2 in lnd: lightningnetwork/lnd#6361

MuSig2 used in Lightning Labs' Loop: lightninglabs/loop#497

MuSig2 coordinator in Go: https://github.com/aureleoules/musig2-coordinator

MuSig2 in secp256kfun: https://github.com/LLFourn/secp256kfun/blob/master/schnorr_fun/src/musig.rs

MuSig2 in Lightning

LN Summit 2022 discussing MuSig2: https://lists.linuxfoundation.org/pipermail/lightning-dev/2022-June/003600.html

MuSig2 channel funding in Lightning: https://github.com/t-bast/lightning-docs/blob/master/taproot-updates.md#musig2-channel-funding

BOLT 2 and the commitment_signed message: https://github.com/lightning/bolts/blob/master/02-peer-protocol.md#committing-updates-so-far-commitment_signed

BOLT PR for MuSig2: lightning/bolts#995

Latency concerns with using MuSig2 or nested MuSig2 on Lightning: https://bitcoin.stackexchange.com/questions/114159/how-do-the-various-lightning-implementations-treat-latency-how-long-do-they-wai

FROST, ROAST and how they compare to MuSig2 for multisig key aggregation

FROST paper: https://eprint.iacr.org/2020/852.pdf

FROST Sydney Socratic w/ Jesse Posner: https://btctranscripts.com/sydney-bitcoin-meetup/2022-03-29-socratic-seminar/

FROST IRTF draft (Two-Round Threshold Schnorr Signatures with FROST): https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-frost-05#section-1

Comparing MuSig2 to FROST for multisig schemes: https://bitcoin.stackexchange.com/questions/114182/how-do-musig2-and-frost-compare-for-multisig-key-aggregation-schemes

Using nested MuSig2 within a FROST scheme: BlockstreamResearch/secp256k1-zkp#138 (comment)

Komlo, Crites presentation on FROST: https://btctranscripts.com/misc/2022-08-07-komlo-crites-frost/

ROAST blog post: https://medium.com/blockstream/roast-robust-asynchronous-schnorr-threshold-signatures-ddda55a07d1b

ROAST paper: https://eprint.iacr.org/2022/550.pdf

Tim Ruffing presentation on ROAST: https://btctranscripts.com/misc/2022-07-14-tim-ruffing-roast/

robot-dreams Python implementation of ROAST: https://github.com/robot-dreams/roast

Miscellaneous (if we have time) e.g. signature half aggregation, hacspec, BIP324

Signature half aggregation: https://www.youtube.com/watch?v=Dns_9jaNPNk

bitcoin-dev mailing list post: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-July/020662.html

Blog post: https://blog.blockstream.com/half-aggregation-of-bip-340-signatures/

Draft BIP: https://github.com/ElementsProject/cross-input-aggregation/blob/master/half-aggregation.mediawiki

hacspec: https://twitter.com/n1ckler/status/1557367221730648065?s=20&t=-dhJHOarghOjraD-1f9K_Q

BIP324: https://gist.github.com/dhruv/5b1275751bc98f3b64bcafce7876b489

@mplsgrant
Copy link

Regarding the inverted signature discussion, here's some python code which gives us the inverted signature as per this test:

n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141

expected_sig = bytes.fromhex('68537CC5234E505BD14061F8DA9E90C220A181855FD8BDB7F127BB12403B4D3B')
expected_sig = int.from_bytes(expected_sig, byteorder="big")

inverted_sig = n - expected_sig
inverted_sig = hex(inverted_sig).upper()[2:]

assert(inverted_sig == '97AC833ADCB1AFA42EBF9E0725616F3C9A0D5B614F6FE283CEAAA37A8FFAF406')

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment