BIP: 373
Layer: Applications
Title: MuSig2 PSBT Fields
Author: Ava Chow <me@achow101.com>
Comments-Summary: No comments yet.
Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0373
Status: Draft
Type: Standards Track
Created: 2024-01-15
License: CC0-1.0
Introduction
Abstract
This document proposes additional fields for BIP 174 PSBTv0 and BIP 370 PSBTv2 that allow for BIP 327 MuSig2 Multi-Signature data to be included in a PSBT of any version. These will be fields for the participants' keys, the public nonces, and the partial signatures produced with MuSig2.
Copyright
This BIP is licensed under the Creative Commons CC0 1.0 Universal license.
Motivation
BIP 327 specifies a way to create BIP 340 compatible public keys and signatures using the MuSig2 Multi-Signature scheme. The existing PSBT fields are unable to support MuSig2 as it introduces new concepts and additional rounds of communication. Therefore new fields must be defined to allow PSBTs to carry the information necessary to produce a valid signature with MuSig2.
Specification
The new per-input types are defined as follows:
Name | Versions Requiring Inclusion | Versions Requiring Exclusion | Versions Allowing Inclusion | |||
---|---|---|---|---|---|---|
rowspan="2" | MuSig2 Participant Public Keys | rowspan="2" | PSBT_IN_MUSIG2_PARTICIPANT_PUBKEYS = 0x1a | <33 byte plain aggregate pubkey> | <33 byte compressed pubkey>* | rowspan="2" |
The MuSig2 aggregate plain public keyWhy the plain aggregate public key instead of x-only? | A list of the compressed public keys of the participants in the MuSig2 aggregate key in the order | |||||
rowspan="2" | MuSig2 Public Nonce | rowspan="2" | PSBT_IN_MUSIG2_PUB_NONCE = 0x1b | <33 byte compressed pubkey> <33 byte plain pubkey> <32 byte hash or omitted> | <66 byte public nonce> | rowspan="2" |
The compressed public key of the participant providing this nonce, followed by the plain public | The public nonce produced by the NonceGen algorithm. | |||||
rowspan="2" | MuSig2 Participant Partial Signature | rowspan="2" | PSBT_IN_MUSIG2_PARTIAL_SIG = 0x1c | <33 byte compressed pubkey> <33 byte plain pubkey> <32 byte hash or omitted> | <32 byte partial signature> | rowspan="2" |
The compressed public key of the participant providing this partial signature, followed by the | The partial signature produced by the Sign algorithm. |
The new per-output types are defined as follows:
Name | Versions Requiring Inclusion | Versions Requiring Exclusion | Versions Allowing Inclusion | |||
---|---|---|---|---|---|---|
rowspan="2" | MuSig2 Participant Public Keys | rowspan="2" | PSBT_OUT_MUSIG2_PARTICIPANT_PUBKEYS = 0x08 | <33 byte compressed pubkey> | <33 byte compressed pubkey>* | rowspan="2" |
The MuSig2 aggregate plain public key from the KeyAgg algorithm. This key may or may not | A list of the compressed public keys of the participants in the MuSig2 aggregate key in the order |
Roles
Updater
When an updater observes a Taproot output which involves a MuSig2 aggregate public key that it is aware if, it can add a PSBT_IN_MUSIG2_PARTICIPANT_PUBKEYS field containing the public keys of the participants. This aggregate public key may be directly in the script, the Taproot internal key, the Taproot output key, or a public key from which the key in the script was derived from.
An aggregate public key that appears directly in the script or internal key may be from the result of deriving child pubkeys from participant xpubs. If the updater has this derivation information, it should also add PSBT_IN_TAP_BIP32_DERIVATION for each participant public key.
If the public key found was derived from an aggregate public key, then all MuSig2 PSBT fields for that public key should contain the aggregate public key rather than the found pubkey itself. The updater should also add PSBT_IN_TAP_BIP32_DERIVATION that contains the derivation path used to derive the found pubkey from the aggregate pubkey. Derivation from the aggregate pubkey can be assumed to follow BIP 328 if there is no PSBT_IN_GLOBAL_XPUB that specifies the synthetic xpub for the aggregate public key.
Updaters should add PSBT_OUT_MUSIG2_PARTICIPANT_PUBKEYS and PSBT_OUT_TAP_BIP32_DERIVATION similarly to inputs to aid in change detection.
Signer
To determine whether a signer is a participant in the MuSig2 aggregate key, the signer should first look at all PSBT_IN_MUSIG2_PARTICIPANT_PUBKEYS and see if any key which it knows the private key for appears as a participant in any aggregate pubkey. Signers should also check whether any of the keys in PSBT_IN_TAP_BIP32_DERIVATION belong to it, and if any of those keys appear in as a participant in PSBT_IN_MUSIG2_PARTICIPANT_PUBKEYS.
For each aggregate public key that the signer is a participant of that it wants to produce a signature for, if the signer does not find an existing PSBT_IN_MUSIG2_PUB_NONCE field for its key, then it should add one using the NonceGen algorithm (or one of its variations) to produce a public nonce that is added in a PSBT_IN_MUSIG2_PUB_NONCE field. However signers must keep in mind that improper nonce usage can compromise private keys. Please see BIP 327 for best practices on nonce generation and usage.
Once all signers have added their PSBT_IN_MUSIG2_PUB_NONCE fields, each signer will perform the NonceAgg algorithm followed by the Sign algorithm in order to produce the partial signature for their key. The result will be added to the PSBT in a PSBT_IN_MUSIG2_PARTIAL_SIG field.
Signers must remember to apply any relevant tweaks such as a tweak that is the result of performing BIP 32 unhardened dervation with the aggregate public key as the parent key.
If all other signers have provided a PSBT_IN_MUSIG2_PARTIAL_SIG, then the final signer may perform the PartialSigAgg algorithm and produce a BIP 340 compatible signature that can be placed into a PSBT_IN_TAP_KEY_SIG or a PSBT_IN_TAP_SCRIPT_SIG.
Finalizer
A finalizer may perform the same PartialSigAgg step as the final signer if it has not already been done.
Otherwise, the resulting signature is a BIP 340 compatible signature and finalizers should treat it as such.
Backwards Compatibility
These are simply new fields added to the existing PSBT format. Because PSBT is designed to be extensible, old software will ignore the new fields.
Reusing PSBT_IN_TAP_BIP32_DERIVATION to provide derivation paths for participant public keys may cause software unaware of MuSig2 to produce a signature for that public key. This is still safe. If that public key does not directly appear in the leaf script that was signed, then the signature produced will not be useful and so cannot be replayed. If the public key does directly appear in the leaf script, then the signer will have validated the script as if it did not involve a MuSig2 and will have found it acceptable in order for it to have produced a signature. In either case, producing a signature does not give rise to the possibility of losing funds.
Test Vectors
TBD
Rationale
Reference implementation
The reference implementation of the PSBT format is available at TBD.
Acknowledgements
Thanks to Sanket Kanjalkar whose notes on this topic formed the initial basis of this BIP. Also thanks to Pieter Wuille, Jonas Nick, Tim Ruffing, Marko Bencun, Salvatore Ingala, and all others who have participated in discussions about these fields.