{"type":"rich","version":"1.0","title":"ZmnSCPxj [ARCHIVE] wrote","author_name":"ZmnSCPxj [ARCHIVE] (npub1g5ā€¦3ms3l)","author_url":"https://yabu.me/npub1g5zswf6y48f7fy90jf3tlcuwdmjn8znhzaa4vkmtxaeskca8hpss23ms3l","provider_name":"njump","provider_url":"https://yabu.me","html":"šŸ“… Original date posted:2021-12-06\nšŸ“ Original message:\nGood morning t-bast,\n\nLong ago: https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-December/002385.html\n\nAnd I quote:\n\n\u003e\u003e A potential issue with MuSig is the increased number of communication rounds needed to generate signatures.\n\u003e\n\u003eI think you can reduce this via an alternative script path. In\n\u003eparticular, if you want a script that the other guy can spend if they\n\u003ereveal the discrete log of point X, with musig you do:\n\u003e\n\u003e P = H(H(A,B),1)*A + H(H(A,B),2)*B\n\u003e [exchange H(RA),H(RB),RA,RB]\n\u003e\n\u003e [send X]\n\u003e\n\u003e sb = rb + H(RA+RB+X,P,m)*H(H(A,B),2)*b\n\u003e\n\u003e [wait for sb]\n\u003e\n\u003e sa = ra + H(RA+RB+X,P,m)*H(H(A,B),1)*a\n\u003e\n\u003e [store RA+RB+X, sa+sb, supply sa, watch for sig]\n\u003e\n\u003e sig = (RA+RB+X, sa+sb+x)\n\u003e\n\u003eSo the 1.5 round trips are \"I want to do a PTLC for X\", \"okay here's\n\u003esb\", \"great, here's sa\".\n\u003e\n\u003eBut with taproot you can have a script path as well, so you could have a\n\u003escript:\n\u003e\n\u003e A CHECKSIGVERIFY B CHECKSIG\n\u003e\n\u003eand supply a partial signature:\n\u003e\n\u003e R+X,s,X where s = r + H(R+X,A,m)*a\n\u003e\n\u003eto allow them to satisfy \"A CHECKSIGVERIFY\" if they know the discrete\n\u003elog of X, and of course they can sign with B at any time. This is only\n\u003ehalf a round trip, and can be done at the same time as sending the \"I\n\u003ewant to do a PTLC for X\" message to setup the (ultimately cheaper) MuSig\n\u003espend. It's an extra signature on the sender's side and an extra verification\n\u003eon the receiver's side, but I think it works out fine.\n\nIt has been a while since I read that post, so my details may be fuzzy, but it looks possible as a way to reduce roundtrips, maybe?\n\nBasically, if my memory and understanding are accurate, in the above, it is the *PTLC-offerrer* which provides an adaptor signature.\nThat adaptor signature would be included in the `update_add_ptlc` message.\n\nDoes it become more workable that way?\n\nRegards,\nZmnSCPxj"}