The following sections contain additional notes on the API of the musig module (include/secp256k1_musig.h).
A usage example can be found in examples/musig.c.
The musig API is designed to be as misuse resistant as possible. However, the MuSig protocol has some additional failure modes (mainly due to interactivity) that do not appear in single-signing. While the results can be catastrophic (e.g. leaking of the secret key), it is unfortunately not possible for the musig implementation to rule out all such failure modes.
Therefore, users of the musig module must take great care to make sure of the following:
- A unique nonce per signing session is generated in
secp256k1_musig_nonce_gen. See the corresponding comment ininclude/secp256k1_musig.hfor how to ensure that. - The
secp256k1_musig_secnoncestructure is never copied or serialized. See also the comment onsecp256k1_musig_secnonceininclude/secp256k1_musig.h. - Opaque data structures are never written to or read from directly. Instead, only the provided accessor functions are used.
- If adaptor signatures are used, all partial signatures are verified.
Given a set of public keys, the aggregate public key is computed with secp256k1_musig_pubkey_agg.
A (Taproot) tweak can be added to the resulting public key with secp256k1_xonly_pubkey_tweak_add and a plain tweak can be added with secp256k1_ec_pubkey_tweak_add.
This is covered by examples/musig.c.
Essentially, the protocol proceeds in the following steps:
- Generate a keypair with
secp256k1_keypair_createand obtain the public key withsecp256k1_keypair_pub. - Call
secp256k1_musig_pubkey_aggwith the pubkeys of all participants. - Optionally add a (Taproot) tweak with
secp256k1_musig_pubkey_xonly_tweak_addand a plain tweak withsecp256k1_musig_pubkey_ec_tweak_add. - Generate a pair of secret and public nonce with
secp256k1_musig_nonce_genand send the public nonce to the other signers. - Someone (not necessarily the signer) aggregates the public nonce with
secp256k1_musig_nonce_aggand sends it to the signers. - Process the aggregate nonce with
secp256k1_musig_nonce_process. - Create a partial signature with
secp256k1_musig_partial_sign. - Verify the partial signatures (optional in some scenarios) with
secp256k1_musig_partial_sig_verify. - Someone (not necessarily the signer) obtains all partial signatures and aggregates them into the final Schnorr signature using
secp256k1_musig_partial_sig_agg.
The aggregate signature can be verified with secp256k1_schnorrsig_verify.
Note that steps 1 to 5 can happen before the message to be signed is known to the signers. Therefore, the communication round to exchange nonces can be viewed as a pre-processing step that is run whenever convenient to the signers. This disables some of the defense-in-depth measures that may protect against API misuse in some cases. Similarly, the API supports an alternative protocol flow where generating the aggregate key (steps 1 to 3) is allowed to happen after exchanging nonces (steps 4 to 5).
A participant who wants to verify the partial signatures, but does not sign itself may do so using the above instructions except that the verifier skips steps 1, 4 and 7.
The signing API supports the production of "adaptor signatures", modified partial signatures which are offset by an auxiliary secret known to one party. That is,
- One party generates a (secret) adaptor
twith corresponding (public) adaptorT = t*G. - When calling
secp256k1_musig_nonce_process, the public adaptorTis provided as theadaptorargument. - The party who is going to extract the secret adaptor
tlater must verify all partial signatures. - Due to step 2, the signature output of
secp256k1_musig_partial_sig_aggis a pre-signature and not a valid Schnorr signature. All parties involved extract this session'snonce_paritywithsecp256k1_musig_nonce_parity. - The party who knows
tmust "adapt" the pre-signature witht(and thenonce_parityusingsecp256k1_musig_adaptto complete the signature. - Any party who sees both the final signature and the pre-signature (and has the
nonce_parity) can extracttwithsecp256k1_musig_extract_adaptor.