design for taproot + musig2 swap

[007harshmahajan]

Coinswap with taproot and Musig2

Swaping the coins with taproot as scripting and Musig2 key aggregation will improve privacy of swap's as it will look same like any other taproot treansaction

Changes from exixting implementation coinswap

• Alice - Contract transaction
• Bob - Contract transaction
• Message protocol

taproot contract Key aggregation for Multi signature Both the parties will supply pub key and single use pub nonce, both are derived from priv key and priv nonce respectivly. Key-path spending 2-2 aggregated key is used as internal key for script less spending of coins. this will require both private keys and private nonce. Script-path spend It contain 2 scripts path, one with timelock and other hashlock Bitcoin's script will be used to code these timelock and hashlock conditions. Diagrams of the transactions:

Alice contract tx:_
multisig (Alice+Bob) ---> (Alice + timelock_A OR Bob + hash)

Bob contract tx:
multisig (Bob+Alice) ---> (Bob + timelock_B OR Alice + hash)

Message protocol

 | Alice                       |                             Bob | 
 |=============================|=================================|
 | send pubkey and pub nonce  ---->                              | 
 |                            <----  send pubkey and pub nonce   | 
 | send contract txn to sign  ---->                              |
 |                            <----  send signed contract txn    |
 ****************** ALICE FUNNDING TXN BROADCAST ******************
 |                            <----  send contract txn to sign   |
 | send signed contract txn   ---->                              |
 ******************* BOB FUNNDING TXN BROADCAST *******************
 | send priv-key & priv-nonce  ---->                             |
 |                             <----  send priv-key & priv-nonce  |
 ************************** SWAP COMPLETE *************************

Transaction construction

                            [taproot pubkey]
                                    |
            [tweaked internal key (aggregated Musig2 key)]
                                    |
                                [TapBranch]
                                    |
                     -----------------------------------
                    |                                   |
          [Tapleaf (hashlock)]          [Tapleaf (timelock)]

Tapscript descriptors

taproot descriptor    = tp(P,[taptree descriptpr])
timelock              = ts(csaolder( k, keys, delay))                    
hashlock              = ts(csahasholder( k, keys, digest, delay ))

[mojoX911]

I have made the following modification. Let me know if it makes sense.

There is no separate funding and contract transaction now. All together in one transaction via taproot tree. now referred to as the funding tx.

At the end of the round, instead of privkey handover, they send each other the partial sig for the keypath spend. With this partial sig they can individually construct the musig and spend the funding tx via keypath.

| Alice                                    | Bob                                    |
|==========================================|========================================|
| send pubkey and pub nonce       ---->    |                                        | 
|                                          |<----  send pubkey and pub nonce        |
**************** ALICE FUNDING TXN BROADCAST ****************
***************** BOB FUNDING TXN BROADCAST *****************
| send hash preimage for scriptpath spend  ---->    |                               |
|                                          |<----  send hash preimage for scriptpath|
| send partial sig for keypath       ----> |                                        |
|                                          |<----  send partial sig for keypath     |
********************** SWAP COMPLETE ***********************