mirrors/bitcoin-bips
1
0
Fork 0
mirror of https://github.com/bitcoin/bips.git synced 2025-01-18 05:12:47 +01:00
Code Issues Projects Releases Wiki Activity

Slight rewrite of evenness byte explanation for clarity

Browse Source
This commit is contained in:
kdmukai 2024-12-16 14:01:25 -06:00 committed by kdmukai
parent 6521dfdd2c
commit 45e626feab
1 changed files with 10 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
bip-0373.mediawiki
View File

@ -52,17 +52,16 @@ The new per-input types are defined as follows:
| rowspan="2"| 0, 2
|-
| The MuSig2 aggregate public key (compressed) <ref>'''Why the compressed aggregate public key instead of x-only?'''
BIP 32 requires public keys to include their evenness byte. Aggregate public keys are expected to be
derived from, following [[bip-0328.mediawiki|BIP 328]], and therefore will
need to include the evenness. Furthermore, PSBT_IN_TAP_BIP32_DERIVATION fields include fingerprints
to identify master keys, and these fingerprints require y-coordinate of the public key,
so x-only serialization can't be used. By including
the aggregate key as a full public key, signers that are unaware of the MuSig2 outside of the PSBT
will still be able to identify which keys are derived from the aggregate key by computing and then
comparing the fingerprints. This is necessary for the signer to apply the correct tweaks to their
partial signature.</ref> from the <tt>KeyAgg</tt> algorithm. This key may or may not appear
(as x-only) in the Taproot output key, the internal key, or in a script. It may instead be a parent public
key from which the Taproot output key, internal key, or keys in a script were derived.
BIP 32 public keys can be derived from a BIP 327 MuSig2 aggregate public key (see: [[bip-0328.mediawiki|BIP 328]]).
But since BIP 32 requires public keys to include their evenness byte, BIP 327 MuSig2 aggregate public keys must
include their evenness byte as well. Furthermore, PSBT_IN_TAP_BIP32_DERIVATION fields include fingerprints to identify
master keys, and these fingerprints require the y-coordinate of the public key, so x-only serialization can't be used.
By including the aggregate key as a full public key, signers that are unaware of the MuSig2 outside of the PSBT will
still be able to identify which keys are derived from the aggregate key by computing and then comparing the
fingerprints. This is necessary for the signer to apply the correct tweaks to their partial signature.</ref> from the
<tt>KeyAgg</tt> algorithm. This key may or may not appear (as x-only) in the Taproot output key, the internal key, or
in a script. It may instead be a parent public key from which the Taproot output key, internal key, or keys in a script
were derived.
| A list of the compressed public keys of the participants in the MuSig2 aggregate key in the order
required for aggregation. If sorting was done, then the keys must be in the sorted order.
|-