Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

extension-bolt: simple taproot channels (feature 80/81) #995

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

Roasbeef
Copy link
Collaborator

This PR puts forth two concepts:

  1. The concept of an "extension BOLT", which is a single documentation extension to the base BOLT spec that references existing "base" BOLTs with new slightly modified functionality. This presents an alternative to littering the main set of BOLTs with a series of "if" statements, which can be somewhat unwieldy for larger changes, and also harder to review/parse.
  2. A new set set of feature bit, channel type, funding output changes, commitment changes, and HTLC script changes under the umbrella of "simple taproot channels", a.k.a the minimal amount of changes needed to get us to "taprooty level 1".

The extensions described in this document have purposefully excluded any gossip related changes, as the there doesn't yet appear to be a predominant direction we'd all like to head in (nu nu gossip vs kick the can and add schnorr).

Most of the changes here described are pretty routine: use musig2 when relevant, and create simple tapscript trees to fold in areas where the script has multiple conditional paths. The main consideration with musig2 is ofc: how to handle nonces. This document takes a very conservative stance, and simply proposes that all nonces be 100% ephemeral, and forgotten, even after a connection has been dropped. This has some non-obvious implications w.r.t the retransmission flow. Beyond that, it's mostly: piggy back the nonce set of nonces (4 public nonces total, since there're "two" messages) on a message to avoid having to add additional round trips.

The other "new" thing this adds is the generation/existence of a NUMs point, which is used to ensure that certain paths can only be spent via the script spend path (like the to remote output for the remote party, as this inherits anchor outputs semantics).

This is still marked as draft, as it's just barely to the point of being readable, and still has a lot of clean ups to be done w.r.t notation, clarify, wording, and full specification.

bolt-simple-taproot.md Outdated Show resolved Hide resolved
@Roasbeef Roasbeef force-pushed the simple-taproot-chans branch from d7b1fe6 to ec8c7b4 Compare May 30, 2022 17:04
@Roasbeef
Copy link
Collaborator Author

Some things that came up in meatspace discussions:

  • Need to ensure we specify co-op close interaction re needing to check diff types of co-op close transactions (remote party trimmed and output, etc)
  • Maybe we should remove the NUMs point for the to_remote output, and just use the musig2 funding key there: in the best interest of the local party to just never sign for that
  • We may need to actually send the next nonce in the commit_sig message (only one of them?) to ensure that after a commitment dance, both parties are able to immediately send a sig.

@Crypt-iQ
Copy link
Contributor

Crypt-iQ commented May 30, 2022

I think the commit_sig should contain the sender's "remote nonce" and the revoke_and_ack contain the sender's "local nonce".

Also since funding_locked will be sent repeatedly with scid-alias when that is merged and deployed, then there should probably be language to define that the nonces are only sent the first time?

@instagibbs
Copy link
Contributor

let's try to pick naming conventions for nonces that doesn't make me cry over the asymmetry

@ZmnSCPxj
Copy link
Collaborator

ZmnSCPxj commented May 31, 2022

Some points:

This interacts with the 2-of-3 goal of @moneyball . If one participant uses a 2-of-3 and owns ALL 3 keys, then it is fine and we can just have MuSig2 with both channel endpoints. But the 2-of-3 goal is that one channel endpoint is really a nodelet-like setup: there is one sub-participant with 2 keys and another "server" participant with 1 key, a la GreenWallet. This requires composable MuSig2. Now I think composable MuSig2, if it can be proven safe, just requires two Rs just like normal non-composable MuSig2, but we probably need to go pester the MuSig2 authors --- I think they wrote up how composable MuSig2 would work, but only internally and they never actually published the details. This is important because we may need to have variable number of Rs, not just two.

--

This interacts with VLS as well @ksedgwic . The nonce r behind R = r * G needs to be retained, since we pre-send the R and on the actual signing MUCH later we use the r. VLS cannot have the host store r since exfiltration of the r together with a complete R, s implies exfiltration of the private key. But this is a per-channel state and constrained devices might not have enough space for each channel. What could be done would be to put the per-channel states into a Merkle tree and have the VLS constrained device store only the Merkle tree root, then every time the r has to be rotated (at each reconnect or at each signing event) update the Merkle tree root in the constrained persistent storage --- it has to be persistent since the host could keep the connection alive while power-cycling the VLS device. You also have to be careful of "UPDATE IN PLACE is a poison apple" and replicated storage. Now as mentioned we cannot store r directly so what the VLS has to do would be something like: generate random scalar q, compute Q = q * G, compute r = ECDH(k, Q) where k is the private key held by the signer device, and then store Q on the host so it can recover r later without the host being able to recover r as well.

A similar technique may also be useful for the server in the 2-of-3 of @moneyball; rather than maintain a state for each channel of each client, the client could store the per-channel Q that the server generates and uses ECDH to get r and then R = r * G for each channel.

@ZmnSCPxj
Copy link
Collaborator

ZmnSCPxj commented May 31, 2022

So I talked to @jonasnick, and as I understand it, we can work with just two Rs even in the composition case, probably will also work in FROST, maybe. This should be safe but we do not have a written out proof, because it seems the proof is complicated. So at least it looks like we do not need a variable number of Rs, just two from each side should work.

@Roasbeef
Copy link
Collaborator Author

Re recursive musig2: I'm gonna give the implementation a shot (outside the LN context, just the musig-within-musig) just to double check my assumptions re not needing to modify the (revised) nonce exchange flow.

bolt-simple-taproot.md Outdated Show resolved Hide resolved
bolt-simple-taproot.md Outdated Show resolved Hide resolved
@antonilol
Copy link
Contributor

i made a pull request on this pull request with script fixes

Roasbeef#1

@antonilol
Copy link
Contributor

antonilol commented Jun 2, 2022

Maybe we should remove the NUMs point for the to_remote output, and just use the musig2 funding key there: in the best interest of the local party to just never sign for that

Why not the revocation key? When i publish an old state, the remote party can claim my output and htlcs with the key path, but not his own output, and also has to wait a block. If we set the internal key to the revocation key it will give the remote party more privacy, nobody on chain can see which outputs were to local and to remote (and htlcs if they are swept along). It will also give more consistency with other output as they also have the revocation key as internal key.

it will also be cheaper (or get a higher fee rate with the same amount of sats), this only requires a signature from a taptweaked revocation key (65) instead of a signature (65), the script (36) and the controlblock (34) (incl length prefix)
this will save 70 wu (17.5 vB) (keep in mind this is only applies to revoked commitments, for normal force closes we want to enforce the 1 OP_CSV)

@antonilol
Copy link
Contributor

antonilol commented Jun 2, 2022

#995 (comment) makes it invisible for outside observers to identify the to_remote output in case of a revoked commitment. if there are some htlcs on it that are long expired and the second stage is broadcasted (like in the fee siphoning attack), the funds go to the local delayed pubkey + relative timelock. outside observers can now see which output was the to_local one, just search the output of an htlc 2nd stage tx in the commitment transaction.

example ctx: 15c262aeaa0c5a44e9e5f25dd6ad51b4162ec4e23668d568dc2c6ad98ae31023 (testnet)

the transaction with the expired htlc reveals the to_local output. (it is already revealed by the script, but this wouldnt be the case with a revoked taproot ctx)

this can be fixed by tweaking the local delayed pubkey with the hash of vout of the htlc on the ctx (something you can see on-chain, to make restoring backups easier) and some secret (so only you can do this, not outside observers). this secret can be static across commitments and stored in a static channel backup (this is one way i came up with, but there are of course more ways to change this key and still make restoring backups easy enough)

EDIT: no secret is needed, instead a taptweak like tweak can be done. everywhere where a local delayed pubkey is used, it is tweaked with sha256(pubkey || output index) (or a tagged hash) where output index refers to the output index of the output on the commitment transaction, this way there are no duplicates because there can't be two outputs at the same index.

for clarity: htlc outputs that send funds to the local delayed pubkey use a tweaked local delayed pubkey where the output index of the htlc output on the commitment transaction is used, not the htlc success or timeout tx

bolt-simple-taproot.md Outdated Show resolved Hide resolved
bolt-simple-taproot.md Outdated Show resolved Hide resolved
bolt-simple-taproot.md Outdated Show resolved Hide resolved
bolt-simple-taproot.md Outdated Show resolved Hide resolved
bolt-simple-taproot.md Outdated Show resolved Hide resolved
bolt-simple-taproot.md Outdated Show resolved Hide resolved
bolt-simple-taproot.md Outdated Show resolved Hide resolved
bolt-simple-taproot.md Outdated Show resolved Hide resolved
bolt-simple-taproot.md Outdated Show resolved Hide resolved
bolt-simple-taproot.md Outdated Show resolved Hide resolved
@Crypt-iQ
Copy link
Contributor

Crypt-iQ commented Jun 10, 2022

for clarity: htlc outputs that send funds to the local delayed pubkey use a tweaked local delayed pubkey where the output index of the htlc output on the commitment transaction is used, not the htlc success or timeout tx

this would preserve privacy, but you'd also need to do this for the to_local and the local anchor output since if those are claimed, the delayed pubkey is also leaked. if the user doesn't claim their anchor, then only the counter-party would be able to claim their anchor (thereby leaking the local delayed pubkey) rather than anybody with the ability to watch the chain after the 16 CSV has elapsed. The keys could all be tweaked, but then perhaps there is more UTXO bloat if the anchors aren't claimed

@antonilol
Copy link
Contributor

for clarity: htlc outputs that send funds to the local delayed pubkey use a tweaked local delayed pubkey where the output index of the htlc output on the commitment transaction is used, not the htlc success or timeout tx

this would preserve privacy, but you'd also need to do this for the to_local and the local anchor output since if those are claimed, the delayed pubkey is also leaked. if the user doesn't claim their anchor, then only the counter-party would be able to claim their anchor (thereby leaking the local delayed pubkey) rather than anybody with the ability to watch the chain after the 16 CSV has elapsed. The keys could all be tweaked, but then perhaps there is more UTXO bloat if the anchors aren't claimed

hmmm true, so it is either privacy, with no key reuse or no utxo set bloat.

btw another idea about anchors and less utxo set bloat:
with non taproot channels, anchors can always be claimed, because funding keys are used
with taproot, funding keys can also be used
party A and B both have a public key, the funding key becomes P = A * H(H(A || B) || A) + B (musig2 keyagg)
the anchor pubkey for A is A * H(H(A || B) || A) and for B is just its public key B
if one of the anchors is spent outside observers can calculate the other anchor because A = P - B and B = P - A (P = funding key)
the to_local and to_remote can also use these keys to ensure that if neither of the anchors is spent they can be cleaned up but that will cost some privacy

bolt-simple-taproot.md Outdated Show resolved Hide resolved
bolt-simple-taproot.md Outdated Show resolved Hide resolved
@Crypt-iQ
Copy link
Contributor

P = A * H(H(A || B) || A) + B (musig2 keyagg) the anchor pubkey for A is A * H(H(A || B) || A) and for B is just its public key B if one of the anchors is spent outside observers can calculate the other anchor because A = P - B and B = P - A (P = funding key) the to_local and to_remote can also use these keys to ensure that if neither of the anchors is spent they can be cleaned up but that will cost some privacy

The KeyAgg routine here specifies some tweaking so the aggregation above may not always be the same (https://github.com/jonasnick/bips/blob/musig2/bip-musig2.mediawiki#key-aggregation). I think in your example an observer has a 50% chance of identifying B's funding_pubkey since it isn't tweaked. I am not sure if knowledge of the funding_pubkey actually gives an observer anything as I think these would have sort of an ephemeral nature as they are generated for the funding flow. A user could generate them outside of the funding context (say in their bitcoind wallet and regularly use the key for receiving/sending payments) and use them in the funding flow, but I don't see why a user would do that

@antonilol
Copy link
Contributor

P = A * H(H(A || B) || A) + B (musig2 keyagg) the anchor pubkey for A is A * H(H(A || B) || A) and for B is just its public key B if one of the anchors is spent outside observers can calculate the other anchor because A = P - B and B = P - A (P = funding key) the to_local and to_remote can also use these keys to ensure that if neither of the anchors is spent they can be cleaned up but that will cost some privacy

The KeyAgg routine here specifies some tweaking so the aggregation above may not always be the same (https://github.com/jonasnick/bips/blob/musig2/bip-musig2.mediawiki#key-aggregation). I think in your example an observer has a 50% chance of identifying B's funding_pubkey since it isn't tweaked. I am not sure if knowledge of the funding_pubkey actually gives an observer anything as I think these would have sort of an ephemeral nature as they are generated for the funding flow. A user could generate them outside of the funding context (say in their bitcoind wallet and regularly use the key for receiving/sending payments) and use them in the funding flow, but I don't see why a user would do that

if this is a problem B can tweak the key before using it without A even knowing (also A has to do this because the lexicographically smaller key is tweaked), but i dont think it is, lnd uses a separate bip32 tree for this (separate from the wallet)

(btw without taproot funding pubkeys were revealed every time a channel was closed)

@antonilol
Copy link
Contributor

antonilol commented Jun 13, 2022

The KeyAgg routine here specifies some tweaking so the aggregation above may not always be the same (https://github.com/jonasnick/bips/blob/musig2/bip-musig2.mediawiki#key-aggregation).

afaict the algorithm in this bip is generalized for 32 byte pubkeys and more than 2 signers, the 'simple' musig2 with the pubkey's with the parity bit known looks like this equation i used, btw i got it here https://github.com/t-bast/lightning-docs/blob/master/schnorr.md#musig2

bolt-simple-taproot.md Outdated Show resolved Hide resolved
Copy link
Contributor

@instagibbs instagibbs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some old comments I forgot to submit

Most recent comment is noting that partial sigs are 32 bytes, so this needs explicit defining somewhere, since signature types seem to assume 64(may have missed it).

bolt-simple-taproot.md Outdated Show resolved Hide resolved
bolt-simple-taproot.md Show resolved Hide resolved
bolt-simple-taproot.md Outdated Show resolved Hide resolved
bolt-simple-taproot.md Outdated Show resolved Hide resolved
bolt-simple-taproot.md Outdated Show resolved Hide resolved
bolt-simple-taproot.md Outdated Show resolved Hide resolved
bolt-simple-taproot.md Outdated Show resolved Hide resolved
bolt-simple-taproot.md Show resolved Hide resolved
bolt-simple-taproot.md Outdated Show resolved Hide resolved
bolt-simple-taproot.md Outdated Show resolved Hide resolved
@antonilol
Copy link
Contributor

antonilol commented Jun 27, 2022

#995 (comment)

P = A * H(H(A || B) || A) + B (musig2 keyagg) the anchor pubkey for A is A * H(H(A || B) || A) and for B is just its public key B if one of the anchors is spent outside observers can calculate the other anchor because A = P - B and B = P - A (P = funding key)

nvm this wouldn't work because keys are only revealed when swept without signature

to make this problem somewhat easier i suggest to remove the to_remote_anchor when a to_remote exists, and no longer 1 OP_CSV the to_remote output. the remote party can fee bump using his to_remote output. the only scenario where a to_remote_anchor would be needed is when there is at least 1 non dust htlc attached and the remote party has no (or below dust limit) to_remote output. this can happen when sending a non dust htlc directly after channel opening (the remote party always needs to have the channel reserve as balance, but doesn't have this just after opening)

now that the to_remote_anchor is out of the way (except for 1 case), things get easier
the to_local_anchor's internal pubkey will be local_delayed_pubkey, it is revealed after the csv delay when swept by the local party

this special case can of course be seen from both sides:

  • the local party who opens a channel, sends an htlc an force closes. both parties need an anchor output here. the remote party has no to_remote output because he has no balance and cant fee bump with that. the to_remote_anchor will have the remote_htlc_pubkey as internal key because it is revealed when expired (a second sig is needed there for 2nd stage), and fulfilled
  • (i switch local and remote here) the local party who just got a channel opened by the remote party and sent an htlc. the local party force closes. there is no to_local to reveal the anchor key, so the to_local_anchor's internal key will be the local_htlc_pubkey, the remote party doesn't need an anchor because he has a to_remote output

even more rare: revocation

no anchor keys are revealed here because with the revocation key the taproot key path is used. i don't know to make anchor sweepable in this case

long story short:

Questions/feedback welcome!

sstone added a commit to ACINQ/eclair that referenced this pull request May 21, 2024
The current "simple taproot channels" proposal is not compatible with splices.
Supporting splices means supporting multiple commitment transactions that are valid at the same time, with the same commitment index but with different funding transactions.
We need to extend the taproot proposal to include a list of musig2 nonces (one for each active commitment transaction), see lightning/bolts#995 (comment)).
We also need a new "next remote nonce" for the new commit tx that is being built, here it has been added to `SpliceInit` and `SpliceAck`.
The funding tx that is being built needs to spend the current funding tx, for this we re-use the current remote nonce (no need to send a new one).
sstone added a commit to ACINQ/eclair that referenced this pull request May 22, 2024
The current "simple taproot channels" proposal is not compatible with splices.
Supporting splices means supporting multiple commitment transactions that are valid at the same time, with the same commitment index but with different funding transactions.
We need to extend the taproot proposal to include a list of musig2 nonces (one for each active commitment transaction), see lightning/bolts#995 (comment)).
We also need a new "next remote nonce" for the new commit tx that is being built, here it has been added to `SpliceInit` and `SpliceAck`.
The funding tx that is being built needs to spend the current funding tx, for this we re-use the current remote nonce (no need to send a new one).
sstone added a commit to ACINQ/eclair that referenced this pull request May 23, 2024
The current "simple taproot channels" proposal is not compatible with splices.
Supporting splices means supporting multiple commitment transactions that are valid at the same time, with the same commitment index but with different funding transactions.
We need to extend the taproot proposal to include a list of musig2 nonces (one for each active commitment transaction), see lightning/bolts#995 (comment)).
We also need a new "next remote nonce" for the new commit tx that is being built, here it has been added to `SpliceInit` and `SpliceAck`.

The funding tx that is being built during the interactive session needs to spend the current funding tx.
For this, we re-use the scheme that we developped for our custome "swaproot" musig swap-ins: we add musig2 nonces to the `TxComplete` message, one nonce for each input that requires one, ordered by serial id.
In order to force close a channel, the holder of a verification nonce must use
that same nonce to counter sign the commitment transaction with the other half
of the musig2 partial signature. Rather than force an implementation to retain
additional signing state (the verification nonce) to avoid holding as "hot"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
additional signing state (the verification nonce) to avoid holding as "hot"
additional signing state (the verification nonce) to avoid holding a "hot"

the ASCII string `taproot-rev-root`.

3. Given a commitment height/number (`N`), the verification nonce to send to
the remote party party can be derive by obtaining the `Nth` shachain leaf
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
the remote party party can be derive by obtaining the `Nth` shachain leaf
the remote party party can be derived by obtaining the `Nth` shachain leaf

construct a `musig2` partial signature for the sender's remote commitment
using the `Sign` algorithm from `bip-musig2`.

- MUST include the partial signature and the public counterpart of the
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This section should be updated: the sender will use the nonces they exchanged with the recipient in their 'shutdown' message to generate and send a partial signature.

- the `shutdown_nonce` field the recipient previously sent in the
`shutdown` message.

- the `public_nonce` included as part of the `partial_signature_with_nonce`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, the remote public nonce was included in the received shutdown message.

to accept a prior offer by a peer that it would have accepted in the current
round. For musig2, as each signature comes with nonce state, the prior offer
may actually be using distinct nonce state, rendering it unable to be comined
for the final transaction braodcast.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
for the final transaction braodcast.
for the final transaction broadcast.

Instead, the responder will simply accept what the initiator proposes. The
responder can always CPFP after the fact if they require a higher fee rate. The
initiator is the one that pays fees directly (coming out of their settled
output), so the responder will always have their full funds develiered to them.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
output), so the responder will always have their full funds develiered to them.
output), so the responder will always have their full funds delivered to them.


* `OP_1 to_remote_output_key`
* where:
* `taproot_nums_point = 0245b18183a06ee58228f07d9716f0f121cd194e4d924b037522503a7160432f15`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct! The linked point matches what we use in lnd today: https://github.com/lightningnetwork/lnd/blob/2f2efc782436944ce98b1e0e13bde125951b2b36/input/script_utils.go#L46-L48

Can't recall why the text has this incorrect point.

As a side question @sstone, here's the code we used to generate the NUMs point: https://github.com/lightninglabs/lightning-node-connect/blob/master/mailbox/numsgen/main.go. Perhaps Eclair is interested in replicating the derivation in Scala/Kotlin to increase confidence in the integrity of the point?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

along side `<revocationpubkey>` to derive the private key needed to sweep the
top-level key spend path. The control block can be crafted as such:
```
revoke_control_block = (output_key_y_parity | 0xc0) || taproot_nums_point || revoke_script
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, would we prefer that the derivation of the control block is more implicit in the spec? I think it's relevant at time to spell it out, as the internal key isn't always taproot_nums_point. So maybe we just need to specify what internal key should be used, then refer to the section you've linked.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I think that specifying the script and internal key used to build the proof that must be included in the control block should be enough.

only `33` bytes, as it just includes the internal key (along with the y-parity
bit and leaf version):
```
delay_control_block = (output_key_y_parity | 0xc0) || taproot_nums-point || to_delay_srcipt
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As above, an inclusion proof not an actual script

Copy link

@remyers remyers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just did a close reading in preparation to reviewing #2868 and found some nits/typos.

- MUST specify the `next_local_nonce` field.
- MUST use the `NonceGen` algorithm defined in `bip-musig2` to generate
`next_local_nonce` to ensure it generates nonces in a safe manner.
- MOST not set the `announce_channel` bit.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- MOST not set the `announce_channel` bit.
- MUST not set the `announce_channel` bit.


### Cooperative Closure

Compared to the base segwit v0 channel type, for simple taproot channels, then
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Compared to the base segwit v0 channel type, for simple taproot channels, then
Compared to the base segwit v0 channel type, for simple taproot channels, the

- MUST reject the channel if `next_local_nonce` is absent, or cannot be
parsed as two compressed secp256k1 points

- the specified public nonce cannot be parsed as two compressed secp256k1
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- the specified public nonce cannot be parsed as two compressed secp256k1

This is redundant with the above MUST clause

1. `tlv_stream`: `shutdown_tlvs`
2. types:
1. type: 8 (`shutdown_nonce`)
2: data:
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
2: data:
2. data:

2. types:
1. type: 6 (`partial_signature`)
2. data:
* [`32*byte`: `partial_signature`
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* [`32*byte`: `partial_signature`
* [`32*byte`: `partial_signature`]

root, the verification nonce sent by that state can be deterministically
reproduced:

1. Given the shachain root used to generate revocation pre-images,
Copy link
Contributor

@instagibbs instagibbs Oct 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

has any thought been given on how this handles/could be extended to handle splicing?

you're going to possibly be signing multiple times at a given height, and sharing nonces before knowing the final txid/state of the commit tx.

Without giving much thought the splices could be given a counter and incorporated to the shachain scheme.

cc @ddustin

also see: https://github.com/bitcoin-core/secp256k1/blob/master/include/secp256k1_musig.h#L425

as the top-level internal key, and then commits to a normal remote script.

Anchor outputs use the `local_delayedpubkey` and the `remotepubkey` of both
parries as the top-level
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
parries as the top-level
parties as the top-level

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.