Published on: 2022-07-20T11:16:40+00:00
In a recent email thread, Michael Folkson discusses the potential role of a half aggregation BIP draft and the challenges of implementing CISA/CISHA as a consensus change. Folkson mentions that it is too early to formalize the equivalent of BIP341/342 for this draft BIP. However, there are use cases for the half aggregation BIP that can be worked on today, such as Lightning gossip. Folkson also notes that if CISA/CISHA was attempted in the long term, there would need to be two tiers of verification: one for single signature key path spends where CISA/CISHA could be applied, and another for Taproot script paths where it couldn't be applied. It might even be necessary to define a new output type specifically for the CISA/CISHA use case where there is no access to a script path.The draft BIP does not specify whether "half aggregation needs a new output type or not" as it is out of scope. However, half-aggregation has multiple possible applications. The StackExchange post linked in the context argues that CISA requires a new output type. This argument also applies to half aggregating signatures across transaction inputs, known as CISHA. The Bitcoin development community has been discussing the concept of half-aggregation in various contexts. Jonas Nick has proposed a concrete specification of the scheme and a place for collecting supplemental information like references to cryptographic security proofs. The BIP draft, available on GitHub, only specifies the cryptographic scheme and does not prescribe specific applications. It includes "incremental aggregation" which allows aggregating additional BIP-340 signatures into an existing half-aggregate signature. The formal specification provides a mathematically precise description of the scheme, paving the way for computer-aided formal proofs. Hacspec's syntax being a subset of Rust's syntax allows using the standard Rust toolchain to compile, execute, and test the specification. Although this work is still in its early stages and won't be proposed for a soft fork anytime soon, it opens up possibilities for further exploration.To facilitate further discussions on half-aggregation, a concrete specification of the scheme and a platform for supplementary information have been provided. The BIP draft, similar to BIP-340, only specifies the cryptographic scheme and does not prescribe specific applications. However, it introduces "incremental aggregation" which allows additional BIP-340 signatures to be aggregated into an existing half-aggregate signature. The formal specification written in hacspec provides a mathematically precise description of the scheme, enabling computer-aided formal proofs. The specification can be compiled, executed, and tested using the standard Rust toolchain since hacspec's syntax is a subset of Rust's syntax. It's important to note that the specified scheme has not yet undergone an extensive security review, although it has been reviewed by Elliott Jin and Tim Ruffing. A blog post providing a broader context for half-aggregation and BIP-340 can be found at the given link.
Updated on: 2023-08-02T06:54:19.989189+00:00