Is static Musig2 key with a variable tweak safe?

t-bast · November 23, 2023, 11:06am

I’d like to create taproot addresses where the key path is using musig2 with a script path that contains a refund script, that can be spent with a single key after a delay:

key path: user_key + server_key
script path: user_refund_key + refund_delay

I’d like to avoid address reuse, so I want to rotate the user keys. What I’m wondering is if it’s safe to only rotate the user_refund_key?

That would keep the user_key and server_key static, which makes it easier to express in a descriptor used for refunds and easier to manage on the server side.

instagibbs · November 23, 2023, 1:54pm

Seems completely standard? Any reason why you’d expect it wouldn’t be safe?

t-bast · November 23, 2023, 2:43pm

Not at all, I do think this is safe as well, but I wanted to have wizard confirmations before we implement and deploy this!

sipa · November 23, 2023, 3:42pm

So your proposal is to effectively use (abusing notation slightly):

tr(musig2(user,server),[and(pk(user_refund),older(delay))])

The only potential concern I see with only rotating user_refund is that if you have two distinct outputs which both get spent through the script path, they can be recognized as being from the same partie(s), as the internal keys will be identical.

t-bast · November 23, 2023, 4:16pm

Thanks, that’s a very good point! That rotation only really protects inputs spent through the key path.

I think that could be acceptable in our case, as the script path is only there in case the server disappears or is unable to cooperate and should hopefully never be used (but is a fail-safe to guarantee that user cannot lose access to their funds).