Skip to content

Commit

Permalink
Slight rewrite of evenness byte explanation for clarity
Browse files Browse the repository at this point in the history
  • Loading branch information
kdmukai committed Dec 17, 2024
1 parent 6521dfd commit 45e626f
Showing 1 changed file with 10 additions and 11 deletions.
21 changes: 10 additions & 11 deletions bip-0373.mediawiki
Original file line number Diff line number Diff line change
Expand Up @@ -52,17 +52,16 @@ The new per-input types are defined as follows:
| rowspan="2"| 0, 2
|-
| The MuSig2 aggregate public key (compressed) <ref>'''Why the compressed aggregate public key instead of x-only?'''
BIP 32 requires public keys to include their evenness byte. Aggregate public keys are expected to be
derived from, following [[bip-0328.mediawiki|BIP 328]], and therefore will
need to include the evenness. Furthermore, PSBT_IN_TAP_BIP32_DERIVATION fields include fingerprints
to identify master keys, and these fingerprints require y-coordinate of the public key,
so x-only serialization can't be used. By including
the aggregate key as a full public key, signers that are unaware of the MuSig2 outside of the PSBT
will still be able to identify which keys are derived from the aggregate key by computing and then
comparing the fingerprints. This is necessary for the signer to apply the correct tweaks to their
partial signature.</ref> from the <tt>KeyAgg</tt> algorithm. This key may or may not appear
(as x-only) in the Taproot output key, the internal key, or in a script. It may instead be a parent public
key from which the Taproot output key, internal key, or keys in a script were derived.
BIP 32 public keys can be derived from a BIP 327 MuSig2 aggregate public key (see: [[bip-0328.mediawiki|BIP 328]]).
But since BIP 32 requires public keys to include their evenness byte, BIP 327 MuSig2 aggregate public keys must
include their evenness byte as well. Furthermore, PSBT_IN_TAP_BIP32_DERIVATION fields include fingerprints to identify
master keys, and these fingerprints require the y-coordinate of the public key, so x-only serialization can't be used.
By including the aggregate key as a full public key, signers that are unaware of the MuSig2 outside of the PSBT will
still be able to identify which keys are derived from the aggregate key by computing and then comparing the
fingerprints. This is necessary for the signer to apply the correct tweaks to their partial signature.</ref> from the
<tt>KeyAgg</tt> algorithm. This key may or may not appear (as x-only) in the Taproot output key, the internal key, or
in a script. It may instead be a parent public key from which the Taproot output key, internal key, or keys in a script
were derived.
| A list of the compressed public keys of the participants in the MuSig2 aggregate key in the order
required for aggregation. If sorting was done, then the keys must be in the sorted order.
|-
Expand Down

0 comments on commit 45e626f

Please sign in to comment.