Combined summary - MuSig2 derivation, descriptor, and PSBT field BIPs

Combined summary - MuSig2 derivation, descriptor, and PSBT field BIPs

Tim Ruffing, a notable figure in the Bitcoin development community, has shed light on the complications associated with using x-only public keys in advanced cryptographic operations like MuSig2 and other multisignature schemes.

During an online meetup of the London Bitcoin Devs in 2022, he addressed the engineering challenges posed by these keys. X-only pubkeys are efficient in that they save space by including only the x-coordinate of a public key, but this efficiency comes at a cost. When it comes to tweaking keys—a common practice in various cryptographic protocols including Taproot and MuSig2—the absence of the y-coordinate necessitates additional considerations during the engineering phase. These complexities can make specifications cumbersome and although not explicitly a security concern, they add a level of annoyance for developers. This leads to a retrospective debate over whether the trade-off between space savings and increased engineering complexity is justified.

Additionally, the Bitcoin Improvement Proposals (BIPs) related to MuSig2 have seen significant updates since their initial release in October. A new BIP dedicated to synthetic extended public keys was introduced due to its relevance beyond descriptors to PSBT fields. The Descriptors BIP itself has been relatively stable, with ongoing discussions about the potential removal of ranged derivation within expressions while keeping it for the overall aggregate public key. A major revision in the PSBT fields BIP is the representation of the aggregate public key as a plain public key rather than an 'xonly' key. This change facilitates the identification of derived keys in a PSBT by embedding the evenness bit into the serialized fingerprint.

The changes and their detailed explanations are available through GitHub links, inviting those with relevant expertise to review and contribute to the evolving landscape of Bitcoin's multisignature protocol specifications. Interested parties can find the Derivation BIP here, the Descriptors BIP here, and the PSBT fields BIP here. These developments underscore the importance of collaborative effort and peer review in the continuous improvement of cryptographic standards within the Bitcoin ecosystem.

Discussion History

Ava ChowOriginal Post
January 15, 2024 23:29 UTC
January 16, 2024 08:18 UTC
January 23, 2024 12:12 UTC