secp256k1
secp256k1 copied to clipboard
bitcoin-core
Add module "musig" that implements MuSig2 multi-signatures (BIP 327)
EDIT: based on #1518. Closes #1452. Most of the code is a copy from libsecp256k1-zkp. The API added in this PR is identical with the exception of two modifications:
- I removed the unused
scratch_spaceargument fromsecp256k1_musig_pubkey_agg. This argument was intended to allow usingecmult_multialgorithms for key aggregation in the future. But at this point it's unclear whether thescratch_spaceobject will remain in its current form (see #1302). - Support for adaptor signatures was removed and therefore the
adaptorargument ofmusig_nonce_processwas also removed.
In contrast to the module in libsecp256k1-zkp, the module is non-experimental. I slightly cleaned up parts of the module, adjusted the code to the new definition of the VERIFY_CHECK macro and applied some simplifications that were possible because the module is now in the upstream repo (ge_from_bytes, ge_to_bytes). You can follow the changes I made to the libsecp256k1-zkp module at https://github.com/jonasnick/secp256k1-zkp/commits/musig2-upstream/.
Rebased on top of master to get https://github.com/bitcoin-core/secp256k1/pull/1480 which allowed dropping a commit. Old state is preserved at https://github.com/jonasnick/secp256k1/tree/musig2-module-backup.
FWIW, we have JVM bindings on top of this branch in https://github.com/ACINQ/secp256k1-kmp/pull/93 and an implementation of swap-in-potentiam (musig2 key-path with alternative delayed script path) in https://github.com/ACINQ/bitcoin-kmp/pull/107 and everything is working fine, and the API is easy enough to use!
Attaching a visualization for the API flow.
Edit: The above visualization is incorrect. I will update it with the correct one soon.
@josibake
What do you think about splitting out the sort commits into their own PR?
That's a good idea. In particular, if more fixups are needed for the sort commits. See #1518.