ElementsProject
Add MuSig2 adaptor signatures
Fixes #23.
Turns out it's not that easy to specify adaptor signatures for multisignatures while keeping a healthy balance between clarity and complexity. Perhaps that's why I haven't found an existing and complete one. So let me know if anyone has ideas for how to make the adaptor signature algorithms as specified here more understandable.
Since #23 mentions two different approaches for how to do MuSig2 adaptor signatures, I looked into the security definitions of Generalized Bitcoin-Compatible Channels and sketched out proofs for them. That was useful to iron out the adaptor signature spec itself, but I'm not sure if the sketches provide any value to the reader because it may well be that what I've written there is incomprehensible without being very familiar with both the Generalized Bitcoin-Compatible Channels and MuSig2 paper. And without having received feedback so far, I'm presuming they have significant holes.
Note to self: See https://eprint.iacr.org/2021/150.pdf section 5 which contains definitions for two party adaptor sigs and a generic transformation from a one-party adaptor sig scheme to a two-party adaptor sig scheme.