Author: John Tromp 2019-09-20 12:47:37
Published on: 2019-09-20T12:47:37+00:00
The feasibility of aggregating signatures and Pedersen-commitment-to-0 in Mimblewimble depends on the signature scheme used. While Schnorr-like signatures can enable non-interactive aggregatability, they cannot be aggregated interactively. The original mimblewimble.txt mentions the need to store every `k*G` and corresponding signature attesting to it, but does not mention Schnorr or the possibility of signature aggregation using it. The mimblewimble.pdf from andytoshi includes a "Sinking Signatures" section, which combines absolute-locktime kernels with partial O(log n) aggregation of the signatures that attest to it. However, this technique was deemed impractical. Relative locktime kernels would not affect their aggregatability since kernels already sign for optional attributes such as fee and lock height, and a relative kernel would just add a reference to another kernel as an additional attribute.
Updated on: 2023-06-13T21:28:56.205192+00:00