Implement multisig for Taproot

trezor / trezor-firmware

:lock: Trezor Firmware Monorepo

https://trezor.io

Other

1.36k stars 661 forks source link

Implement multisig for Taproot #1946

Open andrewkozlik opened 2 years ago

andrewkozlik commented 2 years ago

There are a number of options how to implement multisig with Taproot [1], so first we have to decide which one(s) we will implement. Using a single OP_CHECKSIGADD-based script is the simplest and most similar to the way classic multisig works. Nevertheless we want to wait for Casa and Unchained Capital to see what they want to aim for.

[1] https://github.com/bitcoin/bips/blob/master/bip-0342.mediawiki#cite_note-5

prusnak commented 2 years ago

I pinged Casa and Unchained Capital folks to chime in ...

afsheenb commented 2 years ago

On behalf of Unchained: we've been discussing internally how best to implement multisig on Taproot and have a final meeting scheduled for mid-December. I'll report back and chime in with our plans then.

jlopp commented 2 years ago

Given the interactivity requirements of other tapscript constructions, I expect Casa will move forward with OP_CHECKSIGADD

andrewkozlik commented 2 years ago

Given the interactivity requirements of other tapscript constructions, I expect Casa will move forward with OP_CHECKSIGADD

@jlopp, would that be using a single OP_CHECKSIGADD-based k-of-n script or a k-of-k script for every combination of pubkeys? The advantages and disadvantages of the two are discussed in https://github.com/bitcoin/bips/blob/master/bip-0342.mediawiki#cite_note-5. If I am not mistaken, Casa uses 2-of-3 multisig and 3-of-5 multisig. On average the single OP_CHECKSIGADD-based k-of-n script is better in both cases in terms of the size of the resulting witnesses. But note the words "on average". If you optimize the Merkle tree for the happy path / typical use case, then the k-of-k script for every combination may be more optimal in terms of witness size for the happy path.

jlopp commented 2 years ago

Single OP_CHECKSIGADD-based k-of-n script, otherwise we'd have to change the UX to force users to either preselect which keys they're signing with, or have them sign multiple leaves of the tapscript.

afsheenb commented 2 years ago

Chiming in again after our meeting: we're hoping to support both of the two OP_CHECKSIGADD based approaches mentioned in BIP 342, with a preference for the k-of-k script (though we anticipate making use of the k-of-n script as well).

melroy89 commented 2 years ago

Any update?

deepsimulation commented 1 year ago

Hi @prusnak,

Any update on this?

andrewtoth commented 2 months ago

Added the basic OP_CHECKSIGADD funtionality in https://github.com/trezor/trezor-firmware/pull/4159

nvk commented 2 months ago

I was tagged here but I don't see the comment.

andrewtoth commented 2 months ago

It was deleted just now after my comment.

prusnak commented 2 months ago

there was nothing in the comment, except for the tag - i considered it a spam, because it added no value to the discussion, so I deleted it