Return-Path: Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 95801C002D for ; Sun, 17 Jul 2022 13:26:37 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 5B190409D3 for ; Sun, 17 Jul 2022 13:26:37 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 5B190409D3 Authentication-Results: smtp2.osuosl.org; dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=mVzEJajz X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -0.701 X-Spam-Level: X-Spam-Status: No, score=-0.701 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rRa0neblqmYF for ; Sun, 17 Jul 2022 13:26:35 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 500C7400DD Received: from mail-40134.protonmail.ch (mail-40134.protonmail.ch [185.70.40.134]) by smtp2.osuosl.org (Postfix) with ESMTPS id 500C7400DD for ; Sun, 17 Jul 2022 13:26:35 +0000 (UTC) Date: Sun, 17 Jul 2022 13:26:26 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1658064393; x=1658323593; bh=MPQgDoR43zA9x2xlOkslfK9yc6Ui9Xw3fYERjcyO9/E=; h=Date:To:From:Reply-To:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID; b=mVzEJajz2ikH64txJP0+YNKftXVo1p12AD+knXXwfsKXuPnI9kY28qwzx5Bw9I721 KOKwpCl27tATGnWge9TEzk95K/o4n/ESLZ20sGrrY+K/VqtsSTfhMdJtqsymacqUMl 6qpx/nocHzO+905sQw8pk/66E+WppHUEnSVZhbo5HEwYhFjiBdLjNH4IeVWwR+Q5JK qU1mAE89Mh1X6qII2DpWQXoul5/xp69mggZ/kJmdvTkNHrz7F+Sfgos6Bg1TvwABnt TpyC1sqmYisJv3SmiDe5Zq8teW69G4C/vYfkrgLSQDZqwX8qy74gejoeTzbkTq76gl N93iwnhfmWeDA== To: Jonas Nick , Bitcoin Protocol Discussion From: Michael Folkson Reply-To: Michael Folkson Message-ID: In-Reply-To: <33f275c2-06b1-4b4a-2a75-cafe36836503@gmail.com> References: <33f275c2-06b1-4b4a-2a75-cafe36836503@gmail.com> Feedback-ID: 27732268:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Sun, 17 Jul 2022 18:10:41 +0000 Subject: Re: [bitcoin-dev] BIP draft: Half-Aggregation of BIP-340 Signatures X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jul 2022 13:26:37 -0000 Thanks for this Jonas. One question that was asked on Telegram (credit: Ant= oine D) and isn't clear to me skimming the blog post and the draft BIP is w= hether half aggregation needs a new output type or not like we expect cross= input signature aggregation (CISA) to [0]. My understanding is Schnorr sig= nature batch verification (no aggregation of signatures) can be done today = but half aggregation and CISA would need a soft fork and potentially a new = output type in addition. (I know this work is in its early stages and won't be proposed for a soft f= ork anytime soon. A few of us are just trying to get a basic sketch in our = heads of what they require and whether they could be enabled in the same up= grade.) [0]: https://bitcoin.stackexchange.com/questions/106240/will-cross-input-si= gnature-aggregation-need-a-new-output-type/ -- Michael Folkson Email: michaelfolkson at protonmail.com Keybase: michaelfolkson PGP: 43ED C999 9F85 1D40 EAF4 9835 92D6 0159 214C FEE3 ------- Original Message ------- On Friday, July 8th, 2022 at 16:53, Jonas Nick via bitcoin-dev wrote: > Half-aggregation has been mentioned several times on this list in various > contexts. To have a solid basis for discussing applications of half-aggre= gation, > I think it's helpful to have a concrete specification of the scheme and a= place > for collecting supplemental information like references to cryptographic > security proofs. You can find the BIP draft at > > https://github.com/ElementsProject/cross-input-aggregation/blob/master/ha= lf-aggregation.mediawiki > > Similar to BIP-340, this BIP draft specifies only the cryptographic schem= e and > does not prescribe specific applications. It has not received an extensiv= e > security review yet. Thanks to Elliott Jin and Tim Ruffing for the review= so > far. One new feature that the specified scheme has is "incremental aggreg= ation" > which allows aggregating additional BIP-340 signatures into an existing > half-aggregate signature. > > While BIP-340 has a pseudocode specification and a reference implementati= on in > python, this BIP draft has a formal specification written in hacspec [0] = and > auxiliary pseudocode. The formal specification is a mathematically precis= e > description of the scheme, which paves the way for computer-aided formal = proofs. > Software tools ("proof assistants") allow proving properties about the fo= rmal > specification ("no integer overflow") and apply formal software verificat= ion > ("implementation is behaviorally equivalent to the spec"). I don't have c= oncrete > plans (nor the skillset) to use these techniques. Still, I think this is = an > exciting area to explore because it has the potential to increase the Bit= coin > ecosystem's robustness significantly and has little downside. Since hacsp= ec's > syntax is a subset of Rust's syntax, one can use the standard rust toolch= ain to > compile, execute and test the specification. > > You can find a blog post that gives a broader context at > https://blog.blockstream.com/half-aggregation-of-bip-340-signatures/ > > [0] https://github.com/hacspec/hacspec > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev