Add MuSig2 + Silent Payments#683
Draft
macgyver13 wants to merge 30 commits into
Draft
Conversation
external/ckcc-protocol - Add bip375 and bip376 constants external/libngu - Expose ec_pubkey_combine - Expose ec_pubkey_tweak_mul - Add bip352_encode
Add bip352 crypto primitives / helpers Add bip352 tagged hashes
Add bip374 tagged hashes Add dleq bip374 reference generate_dleq_proof, verify_dleq_proof functions
Extend psbt handling with silent payment specific functions Incorporate validation functions from bip375 test vectors - psbt_structure, input_eligibility, ecdh_coverage Add private key derivation helper functions
Only store key_data for short_values - remove key_type Only serialize PSBT_OUT_SCRIPT if self.script has a value Adjust v2 script assert to not required if sp_v0_info is present
Provides silent payments testing framework with access to MockPSBT
Use devtest/verify_sp_outputs.py for simulator testing Add testing/test_bip375_vectors.py and testing/bip375_test_vectors.json - Correct input eligibility ecdh share assumptions Add devtest/unit_silentpayments.py to perform unit testing via simulator Mirror psbt fields in testing/psbt.py
Add testing/test_bip352_vectors.py and testing/bip352_test_vectors.json - Verify SP sending and receiving test vectors
Integrate preview silent payment address as output in auth:interact Integrate silent payments in signing workflow Add sp_hrp property to chains.py Add silent payments fields to psbt.py
Add sp_spend support to _derive_input_privkey Validate bip376 spend key derivation
Create end-to-end tests for SP in testing/test_silentpayments.py - Expose foreign_mk for partial ownership coverage test Integrate SP spend into psbt functions: consider_inputs, determine_my_signing_key, sign_it - Synthesize parsed_subpaths from PSBT_IN_SPEND_BIP32_DERIVATION - Set input.sp_idxs to placeholder to synthesize input is_owned - Implement SP input signing Refactor _compute_and_store_ecdh_shares and _derive_input_privkey to leverage input.sp_idxs
Add test to validate 'Contribute Shares?' UX Simplify SP preview and signing code paths
Add silent payments label change tests - Detect presence or absence of 'Change back:' in UI story Add multi-signer incomplete coverage scenario tests
Verify SP spend path was derived from m/352h Add signature verification for taproot inputs and SP outputs
Include key-value pairs: spscan, deriv, name, xfp, key_exp in bip352 dictionary Add bip352 test block to test_export_coldcard Support bech32m 1023 character limit for silent payments
Mixed inputs SP spend and P2TR Reject non-SIGHASH_ALL Reject psbt v0 send to SP output
Remove MockPSBT from verify_sp_outputs Test test_sp_spend_to_labeled_change_address should sign transaction Replace _serialize_psbt with read_psbt Replace single use compute_foreign_share with generate_dleq_proof Remove unnecessary int-byte conversions in test_bip352_vectors.py
Convert validate_bip376_spend to validate_silent_payment_inputs Use accounts to validate sp spend material and mark output.is_change Introduce reusable sp_derive_path function Fix change detection issue raised by previous test hygiene commit - Signing was restored for test_sp_spend_labeled_change_detected Fix psbt exception in consider_outputs with sp change - Add apply_label_to_spend_key primitive - Match spend public key to labeled spend public key for change New tests: sp spend to non sp output sp spend rejection tests - unknown account, incorrect sp spend derivation path sp change output with foreign keys is allowed but displays warning Changed test: sp spend to label change - fix label spend key derivation, use sp input
…r multiple outputs Per BIP-375: sort by spend key then output index in ascending order for each scan key group to determine ordering of the k value - Fix compute_silent_payment_output_scripts to match spec - Update bip375_test_vectors.json to version 1.1.1
Adds provisional MUSIG2_PARTIAL_* fields.
Generate nonce message for SP outputs - required since scriptPubKey is not defined on musig round 1. taproot sighash computation remains unaffected for musig round 2.
Gracefully handle the 3-element value parse_taproot_subpaths caches when the same input is parsed more than once (MuSig2 + SP).
auth: - Signing UX: prompt the user to contribute shares, run round 1 nonce generation. psbt: - Add musig_keyagg_context: assemble the keyagg cache and derive the BIP-327 combine factors (MusigEcdhFactors). - Allow musig sp inputs round 1 sign_it despite incomplete SP coverage. serializations: - determine_my_change - get_address returns (None, None) when scriptPubKey is None, no longer errors on musig sp inputs before output scripts are computed. silentpayments: - Contribute partial shares and DLEQ proof bound to the account-level participant key (_contribute_musig_ecdh_shares). - Aggregate shares via KeyAgg coefficients and the input's combine factors (_musig_aggregate_shares, _musig_keyagg_coefficient, _musig_sp_ecdh_factors, _musig_input_ecdh_share). Add bip327 tagged hashes Add musig2 silent payments round 1 test and fixtures.
Add cosigner contrib test fixture for simulating round 2 partial signature - 1 simulator/signer in test_musig2_sp_full_flow, the other 2 participants in 3 of 3 provide contributions from coordinator.
test_musig2_sp_three_hardware_signers coordinates three separate simulator processes to compute silent payments outputs and sign a psbt paying multiple recipients through two rounds. multi signer refactor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Builds on #587 and introduces MuSig2 + Silent Payments signing.
Welcome review and feedback on the concept.
Signing Flow
A MuSig2 taproot key-spend wallet (e.g. 3-of-3
tr(musig(A,B,C)/0/*)) can now paySilent Payments recipients. Because the aggregate secret key behind the taproot
output key
Qis split across all signers, no single party can compute the BIP-352ECDH shared secret alone. Each signer contributes a partial ECDH share
(
share_i = a_i * B_scan) plus a DLEQ proof, carried in two new provisional PSBTfields -
PSBT_IN_MUSIG2_PARTIAL_ECDH_SHAREandPSBT_IN_MUSIG2_PARTIAL_DLEQ.To keep PSBT rounds to a minimum, MuSig2 nonce generation and ECDH share collection
are combined into the first round:
Find more details on the signing flow here.
MuSig2 + Silent Payments documentation updated.
Testing
Regression
New