Use musig2 helpers for swap-in-potentiam using taproot #591
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add a simple test that uses how to modify the swap-in-potentiam protocol to use musig2 and taproot: - taproot key path is used for the mutual user key + server key use case, which sends to a single musig2 aggregated key - tapscript path is used for the refund case (user key + delay) Add another example with taproot but not musig2 that uses 2 differents scripts (mutual case and refund case)
This message includes all outputs from the remote tx and not just the one that is included in the swap. This is needed for Schnorr signatures.
This allows us to easily rotate swap-in addresses and generate a single generic taproot descriptor (for bitcoin core 26 and newer) that can be used to recover swap-in funds once the refund delay has passed, assuming that: - user and server keys are static - user refund keys follow BIP derivation
It makes the code cleaner and we get rid of the secret nonces map. These nonces are replaced with dummy values whenever this classes are serialized, which is safe since they're never reused for signing txs.
Instead of sending an explicit serialId -> nonce map, we send a list of public nonces ordered by serial id. This matches how signatures are sent in TxSignatures.
The semantics of the secret nonce field added to tx inputs were wrong, these nonces are transient and should be tied to the lifecycle of the interactive tx session, this is much more explicit now.
It now provides different types for individual and aggregated musig2 nonces.
- add a pubkey script to the SharedInput() class (we don't need the full TxOut which we can recreate) - remove aggregate nonce check ins FullySignedTx: code already handles transactions that are not properly signed - generate musig2 nonces when we send TxAddInput
They use taproot v1, providing the tx output and not the entire tx is safe (see #579). Here we add the swap-in input output and txout to the swap-in TLV, so this change does not interface with proposed changes to the LN spec.
We use the musig2 helpers exposed by ACINQ/bitcoin-kmp#114 to simplify the swap-in protocol and hide all of the musig2 internal details (key aggregation cache, control block, internal taproot key, opaque session object, nonce aggregation). The code is simpler to reason about and signing is more similar to signing normal single-sig inputs.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds a commit to #563 to use the musig2 helpers provided by ACINQ/bitcoin-kmp#114
It makes the code much simpler by hiding all of the musig2 and taproot low-level details inside helpers that are quite similar to single-sig signing.
I opened this PR against
masterinstead of #563 so that we can see that the diff withmasteris easier to reason about than what #563 does, but you can also look at the last commit to see the diff with #563.