Why is there even any talk of forking? All Musig variants are compatible with Schnorr, AFAIK.
Right. Now that Taproot has been activated I think this topic deserves another review.
Musig-DN would be the ideal way of getting multisig signatures from all the co-signers, but some of it's security measures are unnecessary.
zero-knowledge proofs so that attacker's can't modify the state: This most likely cannot happen if you only transmit your signature already encrypted such as PGP, and I only see this as beneficial if bitcoin core one day supports establishing a multisig wallet using only network communication between nodes instead of real people sharing their ypubs, a crazy idea which won't even exit the design stage.
However their nonce-generating library Purify works internally, if at the very least seems too much to shove in a single batch of PRs and expect it to be ready by the next version. I am not even sure if Musig1 is used in the protocol yet. More importantly there will be trouble finding people skilled enough to contribute code for this as it relies on a bunch of different elliptic curves, arithmetic gates, quadratic twists, etc etc which still makes my head wrap even today. And my previous reply was written 3 months ago!
How many people are running Bitcoin Core in a container or VM where snapshots and therefore musig state can be saved and restored?
If there's one thing I learned during development, it's that simpler schemes such as Musig2 have fewer avenues for vulnerabilities and bugs (which in a cryptocurrency sometimes are just as bad as vulnerabilities) in their implementation than more complex schemes that may be more secure theoretically. I always bring up Heartbleed as an example at this point.
