Add Thresh Metr Musig writeup

jonasnick · jonasnick · commit b39355fe8854 · 2022-01-25T22:16:44.000Z
diff --git a/README.md b/README.md
@@ -14,3 +14,5 @@ Scriptless scripts is an approach to designing cryptographic protocol on top of
   * Multi-hop locks are protocols that allow two parties to exchange coins and proof of payment without requiring a mutual funding multisig output (also known as "Lightning with Scriptless Scripts"). 
 * **[Non-Interactive Threshold Escrow (NITE)](md/NITE.md)**
   * NITE allows non-interactively setting up certain threshold policies on-chain, as well as off-chain if it is combined with [multi-hop locks](md/multi-hop-locks.md).
+* **[Thresh Metr MuSig](md/thresh-metr.md)**
+  * This document discusses approaches to express THRESHold spending policies with MErkle TRees and MuSig.
diff --git a/md/thresh-metr.md b/md/thresh-metr.md
@@ -0,0 +1,93 @@
+# Thresh Metr MuSig
+
+This document discusses approaches to express THRESHold spending policies with MErkle TRees and MuSig.
+
+## Introduction
+
+There are multiple ways to set up a t-of-n threshold spending policy with Taproot.
+The most space efficient and private option is to use a threshold signature scheme like FROST to create a single public key and use that as the Taproot output key.
+No script spending and therefore no Taproot Merkle tree needed.
+However, threshold signatures are not always an option.
+For example, because storing the key shares is inconvenient, threshold signing isn't robust in general or simply because no suitable threshold implementation exists.
+
+It is well known that a t-of-n threshold policy can also be implemented with a Taproot tree of t-of-t spending policies.
+
+For example, a 2-of-3 policy can be expressed as a disjunction of three conjunctions:
+```
+2-of-{Alice, Bob, Charlie} = (Alice and Bob) or (Alice and Charlie) or (Bob and Charlie)
+```
+
+Using MuSig key aggregation, one can build a Taproot tree for this policy as follows:
+```
+KeyAgg(A, B)
+|           \
+|            \
+|             \
+KeyAgg(A, C)   KeyAgg(B, C)
+```
+where the root is the Taproot output key and the leaf public keys are committed to the Merkle Tree along with the `OP_CHECKSIGVERIFY` opcode.
+
+Compared to a `CHECKSIGADD`-based solution that always requires two signatures of three public keys, the advantage of this approach is better fungibility and efficiency.
+
+We call a tree representing a t-of-n threshold policy *fully MuSig merkleized* if it purely consists of t-of-t spending conditions.
+The problem with such a tree is that the number of t-of-t conditions grows quickly (Example: n = 15, t = 11, "n choose t" = 15504).
+As a result the Merkle proofs become large for practical purposes (Example: log_2("n choose t") = 13).
+Moreover, in order to minimize the time to obtain a signature one is required to run the MuSig protocol for all t-of-t spending conditions in parallel, which is a large number in a fully MuSig merkleized tree.
+
+## Assumption: Only up to k signers are non-cooperative most of the time
+
+One idea to mitigate these issues comes from the observation that in many scenarios more than t parties are willing to sign.
+If we can bound the number of non-cooperative signers to be no more than some k < n - t, we can create a much more efficient spending tree, which we call *k MuSig merkleized*.
+
+To set up such a tree, we start by creating a worst case spending condition, which is just a script with n public keys and a `CHECKSIGADD` opcode that requires t signatures.
+This is used as a fall back if more than k signers are non-cooperative.
+As in the case of fully MuSig merkleized trees, the remaining spending paths consist of *t-combinations* (combinations of size t) of the n public keys.
+
+Now, knowing that only up to k signers are non-cooperative and we have a fall back in the form of a `CHECKSIGADD` path, we do not need all "n choose t"-many combinations in the tree.
+For example, a 3-of-5 threshold policy has t-combinations c0 = (0, 1, 2), c1 = (2, 3, 4), c2 = (1, 2, 3), etc.
+With k = 1 however, combination c2 is redundant.
+It would only be useful if signer 0 or signer 4 is absent, but in the former case we can use c1 and in the latter c2.
+
+Let us define how a k MuSig merkleized tree for a t-of-n threshold looks like in general:
+- Let C be the t-combinations of n public keys.
+- Let D be the k-combinations of n public keys.
+- Let Cp be the smallest subset of C such that for all d in D there exists c in Cp such that the intersection of c and d is empty.
+
+We want the MuSig key aggregate of every combination in Cp to appear in the tree.
+There are multiple ways to lay out the tree.
+For example, one of the combinations can be used as the taproot output key, the `CHECKSIGADD` fall back is a child of the and the rest of the combinations are arranged as a balanced tree that is the second child of the root key.
+
+```
+KeyAgg(c in Cp)
+|              \
+|               \
+|                \
+fall back script  balanced tree of KeyAgg(c') for all c' in Cp\{c}
+```
+
+The (inefficient and non-optimal) algorithm [thresh-metr.py](thresh-metr.py) gives the following output, demonstrating that k MuSig merkleized trees offer significant improvements over fully merkleized trees:
+
+- 3-of-5 with up to 1 signers non-cooperative
+  - Parallel signing sessions: 4
+  - Everyone in key path cooperative: 1 sig, 1 pk: 96 WU
+  - Up to 1 non-cooperative:         1 sig, 1 pk, 2 deep: 160 WU
+  - More than 1 non-cooperative:     3 sig, 5 pk, 1 deep: 384 WU
+  - In Comparison, fully merkleized multisig (6 parallel sessions): 1 sig, 1 pk, 4 deep: 224 WU
+- 11-of-15 with up to 2 signers non-cooperative
+  - Parallel signing sessions: 32
+  - Everyone in key path cooperative: 1 sig, 1 pk: 96 WU
+  - Up to 2 non-cooperative:         1 sig, 1 pk, 6 deep: 288 WU
+  - More than 2 non-cooperative:     11 sig, 15 pk, 1 deep: 1216 WU
+  - In Comparison, fully merkleized multisig (1001 parallel sessions): 1 sig, 1 pk, 11 deep: 448 WU
+- 15-of-20 with up to 2 signers non-cooperative
+  - Parallel signing sessions: 39
+  - Everyone in key path cooperative: 1 sig, 1 pk: 96 WU
+  - Up to 2 non-cooperative:         1 sig, 1 pk, 7 deep: 320 WU
+  - More than 2 non-cooperative:     15 sig, 20 pk, 1 deep: 1632 WU
+  - In Comparison, fully merkleized multisig (11628 parallel sessions): 1 sig, 1 pk, 14 deep: 544 WU
+- 15-of-20 with up to 3 signers non-cooperative
+  - Parallel signing sessions: 248
+  - Everyone in key path cooperative: 1 sig, 1 pk: 96 WU
+  - Up to 3 non-cooperative:         1 sig, 1 pk, 9 deep: 384 WU
+  - More than 3 non-cooperative:     15 sig, 20 pk, 1 deep: 1632 WU
+  - In Comparison, fully merkleized multisig (11628 parallel sessions): 1 sig, 1 pk, 14 deep: 544 WU
diff --git a/md/thresh-metr.py b/md/thresh-metr.py
@@ -0,0 +1,136 @@
+import math
+from itertools import combinations as comb
+
+def combinations(n, t):
+    return [tuple(a) for a in comb(range(0, n), t)]
+
+# Test whether the proposed spending paths Cp are actually sane
+def test_paths(Cp, n, t, k):
+    if k > n - t:
+        return False
+    # no duplicates
+    if len(Cp) != len(set(Cp)):
+        return False
+    for c in Cp:
+        if len(c) != t:
+            return False
+        if max(c) >= n:
+            return False
+    D = combinations(n, k)
+    for d in D:
+        not_in_common = 0
+        for c in Cp:
+          c_set = set(c)
+          d_set = set(d)
+          if not (c_set & d_set):
+              not_in_common = 1
+        if not_in_common == 0:
+            return False
+    return True
+
+# Test test_paths
+n = 5
+t = 3
+k = 1
+assert(test_paths(combinations(n, t), n, t, k))
+assert(not test_paths([(1,2,3)], n, t, k))
+k = 2
+assert(test_paths(combinations(n, t), n, t, k))
+k = 1
+# 2 have 2 common, 1 has only one common
+assert(test_paths([(1,2,3), (0,2,3), (0,1,4)], n, t, k))
+# doesn't work since 0 is always a required signer
+assert(not test_paths([(0,1,2), (0,2,3), (0,1,4)], n, t, k))
+
+n = 6
+t = 4
+k = 1
+assert(test_paths(combinations(n, t), n, t, k))
+k = 2
+assert(test_paths(combinations(n, t), n, t, k))
+k = 1
+assert(test_paths([(1,2,3,4), (0,3,4,5), (0,1,2,5)], n, t, k))
+# has at most 2 common elements with every other
+
+# Check if d is a subset in any element of Cpdiff
+def d_included(Cpdiff, d):
+    for ci in Cpdiff:
+        # if all elements are included
+        if set(d).issubset(set(ci)):
+            return True
+    return False
+
+# Minimum size of intersection between c and all elements of Cp
+def mininsect(Cp, c, n):
+    m = n
+    for cp in Cp:
+        m_tmp = n - len(set(c).intersection(set(cp)))
+        if m_tmp < m:
+            m = m_tmp
+    return m
+
+# Generate t-of-n spending paths with up to k non-cooperative
+def generate_paths(n, t, k):
+    a = set(range(0,n))
+    C = combinations(n,t)
+    D = combinations(n,k)
+    Cp = []
+    Cpdiff = []
+    for d in D:
+        if d_included(Cpdiff, d):
+            continue
+        # choose some c
+        c_candidates = []
+        for c in C:
+            if not d_included([tuple(a.difference(set(c)))], d):
+                continue
+            if not c in Cp:
+                c_candidates += [(c, mininsect(Cp, c, n))]
+        c = max(c_candidates,key=lambda item:item[1])[0]
+        Cp += [(c)]
+        Cpdiff += [tuple(a.difference(set(c)))]
+    return Cp
+
+def cost(Cplen, n, t, k):
+    sig = 64
+    pk = 32
+    branch = 32
+    print("- %s-of-%s with up to %s signers non-cooperative" % (t, n, k))
+    # + 1 for for the cooperative case
+    spending_paths = Cplen + 1
+    print("  - Parallel signing sessions:", spending_paths)
+    print("  - Everyone in key path cooperative: 1 sig, 1 pk:", sig + pk, "WU")
+    # only balanced tree part, i.e. exclude keypath and fallback
+    tree_depth = math.ceil(1+math.log(spending_paths-2, 2))
+    print("  - Up to %s non-cooperative:         1 sig, 1 pk, %s deep: %s WU" % (k, tree_depth, sig + pk + tree_depth*branch))
+    print("  - More than %s non-cooperative:     %s sig, %s pk, 1 deep: %s WU" % (k, t, n, t*sig + n*pk + branch))
+    sessions = math.comb(n-1,t-1) # exclude combinations without the signer
+    tree_depth = math.ceil(math.log(math.comb(n, t), 2))
+    print("  - In Comparison, fully merkleized multisig (%s parallel sessions): 1 sig, 1 pk, %s deep: %s WU" % (sessions, tree_depth, sig + pk + tree_depth*branch))
+
+# Examples
+n = 5
+t = 3
+k = 1
+Cp = generate_paths(n,t,k)
+cost(len(Cp), n, t, k)
+assert(test_paths(Cp, n, t, k))
+
+n = 15
+t = 11
+k = 2
+Cp = generate_paths(n,t,k)
+cost(len(Cp), n, t, k)
+assert(test_paths(Cp, n, t, k))
+
+n = 20
+t = 15
+k = 2
+Cp = generate_paths(n,t,k)
+cost(len(Cp), n, t, k)
+assert(test_paths(Cp, n, t, k))
+
+k = 3
+Cp = generate_paths(n,t,k)
+cost(len(Cp), n, t, k)
+assert(test_paths(Cp, n, t, k))
