Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: Not possible to spend a MuSig Address without TapTree #155

Open
wip-abramson opened this issue Dec 14, 2023 · 4 comments
Open

Bug: Not possible to spend a MuSig Address without TapTree #155

wip-abramson opened this issue Dec 14, 2023 · 4 comments

Comments

@wip-abramson
Copy link

I have been attempting to construct bitcoin address that is a 2-2 MuSig address only. No taproot tree.

Something like this

points = [alice_public_key, bob_public_key]
musig = MuSigTapScript(points)
internal_pubkey = musig.point
// The address for the ScriptPubKey
p2tr_musig = internal_pubkey.p2tr_address(network="signet")

The p2tr_musig address is always tweaked. see cecc.py L200

I think this is correct per BIP86.

But, when I construct MuSig using the get_signature function. If there is no merkle_root, then no tweak is applied.

So I get back a valid signature from the untweaked public key. However, when I try to verify I transaction with an input that has a p2tr_musig value as ScriptPubKey it verifies as false. Because the pubkey used for the ScriptPubKey is tweaked, but the sig has not been.

Basically

// Returns valid, but untweaked schnorr sig
schnorr = musig.get_signature(s_sum, r, sig_hash)
// Adds sig to tx input witness
tx_in.finalize_p2tr_keypath(schnorr.serialize())
// Is false
btc_update_tx.verify_input(input_index)

I believe a simple fix would be to remove the if/else in the get_signature function so that the tweak is always applied.

Happy to submit a P.R if I am on the right lines

@jimmysong
Copy link
Collaborator

Hey Will, I'm looking at the BIP327 spec and realizing that it's different than what I've implemented (over a year ago). Thus, I would hold off until the updates to the library for making it BIP327 compliant are done. Sorry for the hassle!

@wip-abramson
Copy link
Author

Sure, no worries.

What are the differences out of interest?

@jimmysong
Copy link
Collaborator

Very specific ways to generate the nonce, ways to add more than one tweak and so on. I've got all the tests passing, it's just a matter of getting it ready as a PR.

@wip-abramson
Copy link
Author

Any updates on this issue.

It seems per BIP341 all taproot addresses should include a tweak, and in the case where a TapScript is not required this the tweak should commit to an unspendable TapScript. I had a look in the code, but couldn't find it in there.

If the spending conditions do not require a script path, the output key should commit to an unspendable script path instead of having no script path. This can be achieved by computing the output key point as Q = P + int(hashTapTweak(bytes(P)))G. [23] https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants