Author: Andrew Poelstra 2017-05-10 07:55:42
Published on: 2017-05-10T07:55:42+00:00
Russell O'Connor, a contributor on bitcoin-dev mailing list, argues that a proposal under consideration is horribly broken. He proposes a scenario in which Bob tries to steal Alice's UTXO with public key P0 by generating random values s0, k0 and R0 := k0*G to create a random signature, [R0, s0]. The aggregated signature will be invalid for individual signatures, but valid when combined with other inputs. Andrew Poelstra suggests a solution to this problem by using non-interactive Schnorr aggregation. This involves having independent Schnorr sigs (s_i, R_i) without any aggregation until a miner produces a block. Then, the miner multiplies each s_i by H(witness root || index), sums up the s_i's, and commits the sum somewhere where it does not affect the root. Verifiers can recognize the signature given only the transaction it signs and R_i, which uniquely determine a valid signature.
Updated on: 2023-06-12T00:39:18.232107+00:00