Signature aggregation offers improved privacy and storage benefits over the current Bitcoin implementation.
Before we dive in to how signature aggregation works and why it is so important for BTC to go through with this soft fork, I will discuss some key definitions that are crucial to understanding this technology, including key aggregation and batch validation.
Definitions
Key aggregation refers to when there are a number of people who each have their own key. They can then produce a combined key that can only be used to sign when they all come together. This technology is used in multisig, or multisignature transactions, where multiple users need to sign a transaction to make it valid.
As explained by Pieter Wuille, the powerful feature of signature aggregation is that the output signature is a single combined signature of all public keys:
“Signature aggregation is the problem where you have multiple people who are going to create signatures together but you only want one signature in the end. In this case, there are multiple signatures involved, and you just produce a single combined signature. The verifier still knows all the public keys. The output is in this case you have a signature, a pubkey, and a message that goes to the verifier.
“But in the case of signature aggregation, it’s a signature, pubkeys, and a message. You need all the pubkeys. This is done at signing time. The signers of this message don’t need to do anything ahead of time. […] they can give it to anyone with the list of pubkeys, and then they can verify that.”
Additionally, batch validation needs to be completed at the end of the process to make sure the transaction has a valid signature. This basically validates the output parameters, making sure the signature hasn’t been altered.
Signature aggregation and Schnorr signatures
Learn about MuSig, a multi-signature scheme based on Schnorr signatures, including its cryptographic properties and a few of its applications in #Bitcoin in this blog post by @pwuille https://t.co/1Ejx7tL5zO https://t.co/PnUEbIDYRF
— Blockstream (@Blockstream) January 23, 2018
Schnorr signatures use signature aggregation in a quite spectacular way.
Technically, in order to combine all the transaction inputs’ signatures into one, we don’t need a multisignature scheme, but rather an aggregate signature scheme. The distinction is simply that in an aggregate signature scheme, each signer has their own message rather than one message shared by all.
With the use of signature aggregation, Schnorr signatures do not release any information about the inputs when a verifier looks at the signature key.
This privacy feature means signature aggregation could become considerably more powerful than what people might expect, simply because we can enable Bitcoin users to agree on spending conditions that can be or not be met – and proven by the majority of signers – without compromising any information about the input signatures.
This means input signatures cannot be extrapolated from the final public aggregated signature.
An interesting example of a current proposal by Blockstream can be found here. It clearly shows that the leading Bitcoin development-focused organisation is betting heavily on the application of Schnorr signatures in the near future.
With Schnorr signatures and signature aggregation technology, it becomes possible to create smart contract functionality that contains “if this/then that” logic linked to the signature spending conditions.
Disclaimer: The views and opinions expressed by the author should not be considered as financial advice. We do not give advice on financial products.