musig: upgrade to 2-round scheme musig2 and allow recursive composition

[oleganza]

The MuSig 2 updated by Jonas Nick (@jonasnick), Tim Ruffing (@real-or-random), and Yannick Seurin reduces number of rounds from 3 to 2 (no more exchange of "nonce precommitments") and, most importantly, allows clean composition of nested multikeys (when one of the keys is itself composed of multiple keys).

We should implement it in our musig crate.

[burdges]

We proved roughly the same result in https://eprint.iacr.org/2020/1245 too, so although proofs get mildly subtle quite a few people have now convinced themselves that this is secure.

I deployed this in schnorrkel in January 2020, but kept around support for a three round trip version. I'm now many months over due for removing that three-round support from schnorrkel. ;) Isis has an implementation running around already.

[real-or-random]

most importantly, allows clean composition of nested multikeys (when one of the keys is itself composed of multiple keys).

Note that this nested variant is not in the paper, so the paper doesn’t come with a security proof for it. And there are some subtle details that one needs to get right, e.g., what set of keys do you need to include in the Hagg hash, etc. We’re working on this but at the moment we’re not entirely sure yet that this can be done and proven secure in a reasonable model.