Author: Jonas Nick 2022-04-28 19:18:34
Published on: 2022-04-28T19:18:34+00:00
The BIP draft is already useful and the test vectors have been extracted. To apply the Taproot tweak with the key aggregation algorithm, an implementation needs to make the pre-tweaked combined key available to the caller. However, the specified algorithms in the BIP unnecessarily recompute certain values which makes it not intuitive at all when calling KeyAgg multiple times for the same set of public keys. The approach taken in btcd makes sense but the specification needs to avoid specifying exactly how the tweaks are derived. Key aggregation and tweaking are separated into different functions in the libsecp256k1-zkp implementation, which requires keeping state between them. A precise specification has been made to replace the description of this signing mode in a PR that was opened. As a result, the last party doesn't need to worry about their nonce even if other parties use bad randomness. The author will investigate how in the BIP, they can also split key aggregation and tweaking and minimize complexity. The link to the PR is included.
Updated on: 2023-06-15T18:49:31.592548+00:00