[bitcoin-dev] Soft-forks and schnorr signature aggregation
ZmnSCPxj at protonmail.com
ZmnSCPxj at protonmail.com
Wed Mar 21 23:28:00 UTC 2018
Good morning aj,
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On March 21, 2018 7:21 PM, Anthony Towns <aj at erisian.com.au> wrote:
> On Wed, Mar 21, 2018 at 03:53:59AM -0400, ZmnSCPxj wrote:
>
> > Good morning aj,
>
> Good evening Zeeman!
>
> [pulled from the bottom of your mail]
>
> > This way, rather than gathering signatures, we gather public keys for aggregate signature checking.
>
> Sorry, I probably didn't explain it well (or at all): during the script,
>
> you're collecting public keys and messages (ie, BIP 143 style digests)
>
> which then go into the signing/verification algorithm to produce/check
>
> the signature.
Yes, I think this is indeed what OP_CHECK_AGG_SIG really does.
What I propose is that we have two places where we aggregate public keys: one at the script level, and one at the transaction level. OP_ADD_AGG_PUBKEY adds to the script-level aggregate, then OP_CHECK_AGG_SIG adds the script-level aggregate to the transaction-level aggregate.
Unfortunately it will not work since transaction-level aggregate (which is actually what gets checked) is different between pre-fork and post-fork nodes.
It looks like signature aggregation is difficult to reconcile with script...
Regards,
ZmnSCPxj
More information about the bitcoin-dev
mailing list