Avoid round-trip with scriptless scripts

[ajtowns]

Here's the concept:

• Alice proposes a new state to Bob, sending an update tx and a settlement tx for it to him, along with her signatures
• Bob is a meany, so publishes the update, then sits on posting the settlement
• But Alice was sneaky! She set things up so that her signature for the update tx was a partial sig and using the wonders of scriptless scripts, she looks at the signatures for the update tx that Bob posted on chain, and from there can extract Bob's signature for the settlement tx.
• Alice posts the settlement tx with Bob's signature, and everything's fine!

To make that actually work, I think you need:

• update tx's can be spent via "alice checksigverify bob checksigverify n cltv" instead of just via musig
• Bob preshares a nonce pair R1, R2
• Alice prepares the settlement tx, and constructs Bob's nonce as R = H(settlement)*R1 + R2 or so, and calculates the value for sG as R + H(R,Bob,settlement)*Bob
• Alice then chooses a nonce and gives Bob a partial signature for the update tx, of s_A = r_A + H(r_A*G + sG, Alice, update)*alice.
• If Bob wants to post the update tx, he calculates s_A + s to complete the signature and publishes it
• Then Alice can then calculate s by subtracting s_A from what appears on-chain

Both Bob's post of the update tx and Alice's post of the settlement tx need two signatures rather than a musig in this scenario. Maybe it's possible to make the settlement tx's signature musig though.