Published on: 2020-10-10T23:47:11+00:00
Lloyd Fournier, in a post on the Lightning-dev mailing list, suggests that a two-round MuSig protocol can be utilized safely within the lightning network. He argues that this approach would eliminate the need for an additional round of communication required by the current three-round MuSig protocol when forwarding payments. Fournier acknowledges that the original MuSig paper raised concerns about the security of its signing algorithm under parallel composition. However, he contends that the two-round MuSig protocol is secure under sequential composition, which aligns with the nature of lightning channels. In addition, Fournier explains how point-time locked contracts (PTLCs) could function using the two-round MuSig protocol. He claims that a fully scriptless lightning protocol employing this approach can achieve an irrevocably committed state without requiring extra rounds of communication. Nonetheless, it does involve additional storage for each PTLC in the commitment transaction and requires an extra round to "fully" update the state between parties, although it does not impede payment forwarding. Fournier concludes his post by clarifying that he does not assert this as the optimal path forward, but rather intends to gather feedback and opinions from others regarding his observation. In a recent evaluation by Z, examining "purely scriptless" lightning channels following taproot/schnorr, it was determined that even in the most optimized scenario, the three-round MuSig protocol still necessitates an extra round of communication prior to forwarding a payment. However, the original MuSig paper proposed the use of a two-round MuSig signing algorithm once keys A and B had been established for Alice and Bob. This algorithm, which does not rely on MuSig-DN magic, involves Alice selecting a random value ra and calculating Ra = ra * G, while Bob selects rb and calculates Rb = rb * G. These values are then used to compute c = H(Ra + Rb || A + B || m) and sb = rb + cb. For further reading, the post provides links to both the original MuSig paper and Zeeman's evaluation of purely scriptless lightning channels.
Updated on: 2023-07-31T23:05:31.489460+00:00