test vectors: mention that plain after x-only tweaking is optional

bip-musig2.mediawiki

@@ -55,13 +55,27 @@ The MuSig2 variant in this specification stands out by combining all of the foll
 * '''MuSig2* optimization''': The specification uses an optimization that allows saving a point multiplication in key aggregation. The MuSig2 scheme with this optimization is called MuSig2* and proven secure in the appendix of the [https://eprint.iacr.org/2020/1261 MuSig2 paper]. The optimization is that the second distinct key in the list of public keys given to the key aggregation algorithm (as well as any keys identical to this key) gets the constant key aggregation coefficient ''1''.
 * '''Parameterization of MuSig2 and security''': In this specification, each signer's nonce consists of two elliptic curve points. The [https://eprint.iacr.org/2020/1261 MuSig2 paper] gives distinct security proofs depending on the number of points that constitute a nonce. See section [[#choosing-the-size-of-the-nonce|Choosing the Size of the Nonce]] for a discussion.
 
+== Overview ==
+
+Implementers of the specification must make sure to understand this section thoroughly to avoid subtle mistakes that may lead to catastrophic failure.
+
 This specification is written with a focus on clarity.
 As a result, the specified algorithms are not always optimal in terms of computation and space.
 In particular, some values are recomputed but can be cached in actual implementations (see [[#signing-flow|Signing Flow]]).
 
-== Description of Signing Flow ==
+This BIP aims to provide a standard that supports a wide range of possible application scenarios.
+Given a specific application scenario, some features supported by this standard may be unnecessary or not desirable, and implementations can choose not to support them.
+
+Such features include:
+* Applying plain tweaks after x-only tweaks.
+* Applying tweaks at all.
+* Dealing with messages that are not exactly 32 bytes.
+* Identifying a disruptive signer after aborting (aborting itself remains mandatory).
+* Dealing with duplicate public keys in key aggregation.
+If applicable, the corresponding algorithms should simply fail when encountering inputs unsupported by a particular implementation. (For example, the signing algorithm may fail when given a message which is not 32 bytes.)
+Similarly, the test vectors that exercise the unimplemented features should be re-interpreted to expect an error, or be skipped if appropriate.
 
-When implementing the specification, make sure to understand this section thoroughly to avoid subtle mistakes that may lead to catastrophic failure.
+=== General Signing Flow ===
 
 The basic order of operations to create a multi-signature with the specification is as follows:
 The signers start by exchanging public keys and computing an aggregate public key using the ''KeyAgg'' algorithm.
@@ -172,7 +186,7 @@ Plain tweaking can be used to derive child public keys from an aggregate public
 On the other hand, X-only tweaking is required for Taproot tweaking per [https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki BIP341].
 A Taproot-tweaked public key commits to a ''script path'', allowing users to create transaction outputs that are spendable either with a MuSig2 multi-signature or by providing inputs that satisfy the script path.
 
-== Specification ==
+== Algorithms ==
 
 === Notation ===
 
@@ -480,7 +494,7 @@ The reference implementation is for demonstration purposes only and not to be us
 
 === Modifications to Nonce Generation ===
 
-Implementors must avoid modifying the ''NonceGen'' algorithm without being fully aware of the implications.
+Implementers must avoid modifying the ''NonceGen'' algorithm without being fully aware of the implications.
 We provide two modifications that are secure when applied correctly and may be useful in special circumstances, summarized in the following table.
 
 {| class="wikitable" style="margin:auto"
@@ -679,6 +693,7 @@ An exception to this rule is <code>MAJOR</code> version zero (0.y.z) which is fo
 The <code>MINOR</code> version is incremented whenever the inputs or the output of an algorithm changes in a backward-compatible way or new backward-compatible functionality is added.
 The <code>PATCH</code> version is incremented for other changes that are noteworthy (bug fixes, test vectors, important clarifications, etc.).
 
+* '''0.8.6''' (2022-09-15): Clarify that implementations do not need to support every features and add a test vector for signing with a tweaked key 
 * '''0.8.5''' (2022-09-05): Rename some functions to improve clarity.
 * '''0.8.4''' (2022-09-02): Make naming of nonce variants ''R'' in specification and reference code easier to read and more consistent.
 * '''0.8.3''' (2022-09-01): Overwrite ''secnonce'' in ''sign'' reference implementation to help prevent accidental reuse and add test vector for invalid ''secnonce''.

bip-musig2/tweak_vectors.json

@@ -48,14 +48,23 @@
             "expected": "408A0A21C4A0F5DACAF9646AD6EB6FECD7F7A11F03ED1F48DFFF2185BC2C2408",
             "comment": "A plain tweak followed by an x-only tweak"
         },
+        {
+            "key_indices": [1, 2, 0],
+            "nonce_indices": [1, 2, 0],
+            "tweak_indices": [0, 1, 2, 3],
+            "is_xonly": [false, false, true, true],
+            "signer_index": 2,
+            "expected": "45ABD206E61E3DF2EC9E264A6FEC8292141A633C28586388235541F9ADE75435",
+            "comment": "Four tweaks: plain, plain, x-only, x-only."
+        },
         {
             "key_indices": [1, 2, 0],
             "nonce_indices": [1, 2, 0],
             "tweak_indices": [0, 1, 2, 3],
             "is_xonly": [true, false, true, false],
             "signer_index": 2,
             "expected": "B255FDCAC27B40C7CE7848E2D3B7BF5EA0ED756DA81565AC804CCCA3E1D5D239",
-            "comment": "Four tweaks: x-only, plain, x-only, plain"
+            "comment": "Four tweaks: x-only, plain, x-only, plain. If an implementation prohibits applying plain tweaks after x-only tweaks, it can skip this test vector or return an error."
         }
     ],
     "error_test_cases": [