[bitcoin-dev] Graftroot: Private and efficient surrogate scripts under the taproot assumption
Daniel Edgecumbe
esotericnonsense at esotericnonsense.com
Thu Feb 22 19:44:21 UTC 2018
> However, the non-interactive schnorr aggregation trick[1] can be
applied to merge the S values of all graftroots and signatures in a
transaction into a single aggregate. With this approach only a single
R value for each graftroot need be published, lowering the overhead to
~32 bytes-- the same as taproot. This has a side benefit of binding
the published grafts to a particular transaction, which might help
avoid some screwups.
I don't think that binding grafts to a particular transaction requires this aggregation.
It seems to me that you could just sign H(txid, script) rather than H(script).
I'm not aware of whether this would break aggregation.
---
Daniel Edgecumbe / esotericnonsense
esotericnonsense at esotericnonsense.com
https://esotericnonsense.com
https://danedgecumbe.com
More information about the bitcoin-dev
mailing list