Proposed BIP for MuSig2 PSBT Fields

The BIP 327 ("MuSig2") does not include adaptor signatures. This decision was made because the BIP is already long and complicated enough without them. It was deemed more appropriate to propose a separate adaptor signature BIP in a modular fashion. However, there is currently no security proof for adaptor signatures, except for a sketch that was written a few years ago. At the time, there seemed to be a higher demand for single-signer adaptor signatures.

Despite the missing specification, some version of adaptor signatures has been added to the libsecp256k1-zkp MuSig2 module to allow for experimentation. It is worth noting that there are alternative designs to the implementation in the libsecp256k1-zkp module. For example, the current libsecp256k1-zkp PR introduces (single-signer) Schnorr adaptor signatures with the adaptor signature, where the point is extracted from an adaptor signature. This simplifies the API and reduces communication, but it also makes batch verification of multiple adaptor signatures impossible.

It is important to consider these alternative designs when standardizing MuSig2 adaptor signatures.