When Schnorr signatures are part of Bitcoin will it be possible validate each block with only one signature validation?A couple of questions on Schnorr sigWhat would UTXO consolidation look like in the public ledger with Schnorr signatures?Did the introduction of VerifyScript cause a backwards incompatible change to consensus?Are sipa's standardized schnorr signatures incompatible with blind signatures?

After `ssh` without `-X` to a machine, is it possible to change `$DISPLAY` to make it work like `ssh -X`?

Why restrict private health insurance?

What will be the sign of work done?

What is the population of Romulus in the TNG era?

Why does cron require MTA for logging?

How do electrons receive energy when a body is heated?

Ballot RPC message

How do spaceships determine each other's mass in space?

Can't make sense of a paragraph from Lovecraft

Professor forcing me to attend a conference, I can't afford even with 50% funding

PTIJ: Why does only a Shor Tam ask at the Seder, and not a Shor Mu'ad?

What do *foreign films* mean for an American?

Vocabulary for giving just numbers, not a full answer

Shifting between bemols and diesis in the key signature

How to resolve: Reviewer #1 says remove section X vs. Reviewer #2 says expand section X

Called into a meeting and told we are being made redundant (laid off) and "not to share outside". Can I tell my partner?

Numbers app - select all the cells on an existing table to share the same background colour?

Why does Solve lock up when trying to solve the quadratic equation with large integers?

The meaning of ‘otherwise’

Are small insurances worth it?

Why couldn't the separatists legally leave the Republic?

Why do we say ‘pairwise disjoint’, rather than ‘disjoint’?

In the late 1940’s to early 1950’s what technology was available that could melt ice?

Help! My Character is too much for her story!



When Schnorr signatures are part of Bitcoin will it be possible validate each block with only one signature validation?


A couple of questions on Schnorr sigWhat would UTXO consolidation look like in the public ledger with Schnorr signatures?Did the introduction of VerifyScript cause a backwards incompatible change to consensus?Are sipa's standardized schnorr signatures incompatible with blind signatures?













2















In a recent talk Pieter Wuille talked about speed up verification when using Schnorr signatures and various algorithms for verifying multiple signatures.



Would it really be possible to verify one single block by aggregating the keys and signatures of all transactions? (In theory even more transactions over several blocks)



I assume this does imply that the old ECDSA scheme would not be used anymore. If we were backwards compatible we could probably only do this for transactions that used Schorr signatures where as the other ones would have to be verified one by one.



(Leaving aside politics of drastic protocol changes) Couldn't we even save more space if we adopt the block header to include one aggregate Schnorre signature for the block and leave out all the schnorr signatures of the single transactions within that block?



Did I miss anything? The talk did not give many details but just mentioned the idea.






validation block-validity schnorr-signatures







share|improve this question


























    2















    In a recent talk Pieter Wuille talked about speed up verification when using Schnorr signatures and various algorithms for verifying multiple signatures.



    Would it really be possible to verify one single block by aggregating the keys and signatures of all transactions? (In theory even more transactions over several blocks)



    I assume this does imply that the old ECDSA scheme would not be used anymore. If we were backwards compatible we could probably only do this for transactions that used Schorr signatures where as the other ones would have to be verified one by one.



    (Leaving aside politics of drastic protocol changes) Couldn't we even save more space if we adopt the block header to include one aggregate Schnorre signature for the block and leave out all the schnorr signatures of the single transactions within that block?



    Did I miss anything? The talk did not give many details but just mentioned the idea.






    validation block-validity schnorr-signatures







    share|improve this question
























      2












      2








      2








      In a recent talk Pieter Wuille talked about speed up verification when using Schnorr signatures and various algorithms for verifying multiple signatures.



      Would it really be possible to verify one single block by aggregating the keys and signatures of all transactions? (In theory even more transactions over several blocks)



      I assume this does imply that the old ECDSA scheme would not be used anymore. If we were backwards compatible we could probably only do this for transactions that used Schorr signatures where as the other ones would have to be verified one by one.



      (Leaving aside politics of drastic protocol changes) Couldn't we even save more space if we adopt the block header to include one aggregate Schnorre signature for the block and leave out all the schnorr signatures of the single transactions within that block?



      Did I miss anything? The talk did not give many details but just mentioned the idea.






      validation block-validity schnorr-signatures







      share|improve this question














      In a recent talk Pieter Wuille talked about speed up verification when using Schnorr signatures and various algorithms for verifying multiple signatures.



      Would it really be possible to verify one single block by aggregating the keys and signatures of all transactions? (In theory even more transactions over several blocks)



      I assume this does imply that the old ECDSA scheme would not be used anymore. If we were backwards compatible we could probably only do this for transactions that used Schorr signatures where as the other ones would have to be verified one by one.



      (Leaving aside politics of drastic protocol changes) Couldn't we even save more space if we adopt the block header to include one aggregate Schnorre signature for the block and leave out all the schnorr signatures of the single transactions within that block?



      Did I miss anything? The talk did not give many details but just mentioned the idea.






      validation block-validity schnorr-signatures




      validation block-validity schnorr-signatures






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 1 hour ago









      Rene PickhardtRene Pickhardt

      1,992115




      1,992115




















          1 Answer
          1






          active

          oldest

          votes


















          2














          Yes, one validation per block, but not one signature per block.



          To clear up confusion, there are 3 distinct technologies involved here:



          • (1) non-interactive aggregation is the ability for a third party (who does not hold any private keys) to combine multiple signatures, each with their own message and public key, into a single signature that can be verified by someone knows all messages and public keys.

          • (2) interactive aggregation is the same, but when the signers need to be aware of the aggregation, and communicate with each other to jointly produce a single signature.

          • (3) batch validation is the ability for a verifier to verify whether multiple (pubkey,message,signature) tuples are all valid or not, faster than verifying the individual signatures. If one or more of the tuples are invalid the verifier will not learn which ones, in this case.

          Schnorr signatures (and any other known discrete logarithm based signature schemes) support (2) and (3), but not (1).



          The lack of (1) means there cannot be a single signature for an entire block (*), as the miner who constructs the block is a third party who isn't participating in signature creation.



          Due to (2), the best we can hope for (as long as we're restricted to DL-based signatures), is one signature per transaction. Even that requires cross-input aggregation, which has complexities beyond just the implementation of on-chain Schnorr signatures (see this post for example).



          However, because of (3) it is correct that there can be a single validation per block, however not a single signature per block. The speedup that is possible through batch validation does become nontrivial, in fact. Each of the 4 lines is an optimization technique that is currently implemented in libsecp256k1, which will pick the best one based on the size of the problem and the memory constraints.



          Batch validation speedup



          (*) There exists a form of non-interactive "half aggregation" for DL based signatures, where N signatures can be non-interactively combined into a single signature of size (1+N)/2 original signatures. This could be used for blocks, though the gains aren't that great, and there are complexities around block-wide aggregation that make it less interesting.






          share|improve this answer
























            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "308"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f85213%2fwhen-schnorr-signatures-are-part-of-bitcoin-will-it-be-possible-validate-each-bl%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            2














            Yes, one validation per block, but not one signature per block.



            To clear up confusion, there are 3 distinct technologies involved here:



            • (1) non-interactive aggregation is the ability for a third party (who does not hold any private keys) to combine multiple signatures, each with their own message and public key, into a single signature that can be verified by someone knows all messages and public keys.

            • (2) interactive aggregation is the same, but when the signers need to be aware of the aggregation, and communicate with each other to jointly produce a single signature.

            • (3) batch validation is the ability for a verifier to verify whether multiple (pubkey,message,signature) tuples are all valid or not, faster than verifying the individual signatures. If one or more of the tuples are invalid the verifier will not learn which ones, in this case.

            Schnorr signatures (and any other known discrete logarithm based signature schemes) support (2) and (3), but not (1).



            The lack of (1) means there cannot be a single signature for an entire block (*), as the miner who constructs the block is a third party who isn't participating in signature creation.



            Due to (2), the best we can hope for (as long as we're restricted to DL-based signatures), is one signature per transaction. Even that requires cross-input aggregation, which has complexities beyond just the implementation of on-chain Schnorr signatures (see this post for example).



            However, because of (3) it is correct that there can be a single validation per block, however not a single signature per block. The speedup that is possible through batch validation does become nontrivial, in fact. Each of the 4 lines is an optimization technique that is currently implemented in libsecp256k1, which will pick the best one based on the size of the problem and the memory constraints.



            Batch validation speedup



            (*) There exists a form of non-interactive "half aggregation" for DL based signatures, where N signatures can be non-interactively combined into a single signature of size (1+N)/2 original signatures. This could be used for blocks, though the gains aren't that great, and there are complexities around block-wide aggregation that make it less interesting.






            share|improve this answer





























              2














              Yes, one validation per block, but not one signature per block.



              To clear up confusion, there are 3 distinct technologies involved here:



              • (1) non-interactive aggregation is the ability for a third party (who does not hold any private keys) to combine multiple signatures, each with their own message and public key, into a single signature that can be verified by someone knows all messages and public keys.

              • (2) interactive aggregation is the same, but when the signers need to be aware of the aggregation, and communicate with each other to jointly produce a single signature.

              • (3) batch validation is the ability for a verifier to verify whether multiple (pubkey,message,signature) tuples are all valid or not, faster than verifying the individual signatures. If one or more of the tuples are invalid the verifier will not learn which ones, in this case.

              Schnorr signatures (and any other known discrete logarithm based signature schemes) support (2) and (3), but not (1).



              The lack of (1) means there cannot be a single signature for an entire block (*), as the miner who constructs the block is a third party who isn't participating in signature creation.



              Due to (2), the best we can hope for (as long as we're restricted to DL-based signatures), is one signature per transaction. Even that requires cross-input aggregation, which has complexities beyond just the implementation of on-chain Schnorr signatures (see this post for example).



              However, because of (3) it is correct that there can be a single validation per block, however not a single signature per block. The speedup that is possible through batch validation does become nontrivial, in fact. Each of the 4 lines is an optimization technique that is currently implemented in libsecp256k1, which will pick the best one based on the size of the problem and the memory constraints.



              Batch validation speedup



              (*) There exists a form of non-interactive "half aggregation" for DL based signatures, where N signatures can be non-interactively combined into a single signature of size (1+N)/2 original signatures. This could be used for blocks, though the gains aren't that great, and there are complexities around block-wide aggregation that make it less interesting.






              share|improve this answer



























                2












                2








                2







                Yes, one validation per block, but not one signature per block.



                To clear up confusion, there are 3 distinct technologies involved here:



                • (1) non-interactive aggregation is the ability for a third party (who does not hold any private keys) to combine multiple signatures, each with their own message and public key, into a single signature that can be verified by someone knows all messages and public keys.

                • (2) interactive aggregation is the same, but when the signers need to be aware of the aggregation, and communicate with each other to jointly produce a single signature.

                • (3) batch validation is the ability for a verifier to verify whether multiple (pubkey,message,signature) tuples are all valid or not, faster than verifying the individual signatures. If one or more of the tuples are invalid the verifier will not learn which ones, in this case.

                Schnorr signatures (and any other known discrete logarithm based signature schemes) support (2) and (3), but not (1).



                The lack of (1) means there cannot be a single signature for an entire block (*), as the miner who constructs the block is a third party who isn't participating in signature creation.



                Due to (2), the best we can hope for (as long as we're restricted to DL-based signatures), is one signature per transaction. Even that requires cross-input aggregation, which has complexities beyond just the implementation of on-chain Schnorr signatures (see this post for example).



                However, because of (3) it is correct that there can be a single validation per block, however not a single signature per block. The speedup that is possible through batch validation does become nontrivial, in fact. Each of the 4 lines is an optimization technique that is currently implemented in libsecp256k1, which will pick the best one based on the size of the problem and the memory constraints.



                Batch validation speedup



                (*) There exists a form of non-interactive "half aggregation" for DL based signatures, where N signatures can be non-interactively combined into a single signature of size (1+N)/2 original signatures. This could be used for blocks, though the gains aren't that great, and there are complexities around block-wide aggregation that make it less interesting.






                share|improve this answer















                Yes, one validation per block, but not one signature per block.



                To clear up confusion, there are 3 distinct technologies involved here:



                • (1) non-interactive aggregation is the ability for a third party (who does not hold any private keys) to combine multiple signatures, each with their own message and public key, into a single signature that can be verified by someone knows all messages and public keys.

                • (2) interactive aggregation is the same, but when the signers need to be aware of the aggregation, and communicate with each other to jointly produce a single signature.

                • (3) batch validation is the ability for a verifier to verify whether multiple (pubkey,message,signature) tuples are all valid or not, faster than verifying the individual signatures. If one or more of the tuples are invalid the verifier will not learn which ones, in this case.

                Schnorr signatures (and any other known discrete logarithm based signature schemes) support (2) and (3), but not (1).



                The lack of (1) means there cannot be a single signature for an entire block (*), as the miner who constructs the block is a third party who isn't participating in signature creation.



                Due to (2), the best we can hope for (as long as we're restricted to DL-based signatures), is one signature per transaction. Even that requires cross-input aggregation, which has complexities beyond just the implementation of on-chain Schnorr signatures (see this post for example).



                However, because of (3) it is correct that there can be a single validation per block, however not a single signature per block. The speedup that is possible through batch validation does become nontrivial, in fact. Each of the 4 lines is an optimization technique that is currently implemented in libsecp256k1, which will pick the best one based on the size of the problem and the memory constraints.



                Batch validation speedup



                (*) There exists a form of non-interactive "half aggregation" for DL based signatures, where N signatures can be non-interactively combined into a single signature of size (1+N)/2 original signatures. This could be used for blocks, though the gains aren't that great, and there are complexities around block-wide aggregation that make it less interesting.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited 16 mins ago

























                answered 32 mins ago









                Pieter WuillePieter Wuille

                47.2k399158




                47.2k399158



























                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Bitcoin Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f85213%2fwhen-schnorr-signatures-are-part-of-bitcoin-will-it-be-possible-validate-each-bl%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Isabella Eugénie Boyer Biographie | Références | Menu de navigationmodifiermodifier le codeComparator to Compute the Relative Value of a U.S. Dollar Amount – 1774 to Present.

                    Image
                    Personnalité américaine du monde des affairesPersonnalité féminine françaiseNaissance en décembre 1841Naissance à ParisDécès en mai 1904Décès à 62 ansDécès à Paris 17 décembre1841Paris12 mai1904Isaac Merritt SingerSingerNew York1863guerre civile américaineParisAngleterreguerre de 1870DevonOldway Mansion (en) PaigntonWinnarettaEdmond de Polignacduchesse DecazesdollarsVictor ReubsaetParisHumbert I er d'Italieviolon de StradivariusStatue de la LibertéBartholdi Isabella Eugénie Boyer.mw-parser-output .entete.humainbackground-image:url("//upload.wikimedia.org/wikipedia/commons/8/82/Picto_infobox_manwoman.png") Isabella Eugénie Boyer. Titre de noblesse Duchesse Biographie Naissance 17 décembre 1841 Paris Décès 12 mai 1904 (à 62 ans) Paris Sépulture Cimetière de Passy Nationalité Française Domicile Oldway Mansion ( en ) Activité Mannequin Con...
                    Read more

                    Join wedge with single bond in chemfigHow to make only one part of double bond bold with chemfig?Crossing bonds in chemfigjoining atoms in chemfig. Two adjacent molculesHow do I selectively change bond length in chemfig?Ugly bond joints in chemfigchemfig: reaction above arrowUsing the mhchem and chemfig packages in conjunctionBonding to specific element letter using chemfigResonance hybrids in chemfigScale chemfig molecule in beamer with tikzWhy does this chemfig bond with a hook start in the middle of the atom?

                    Image
                    Where does SFDX store details about scratch orgs? Decimal to roman python Is it possible to create light that imparts a greater proportion of its energy as momentum rather than heat? What is the word for reserving something for yourself before others do? How could indestructible materials be used in power generation? Issue with type force PATH search How to copy / replace first letter in a column of attribute table in ArcMap with field calculator and Python? A plague kills all white people book, probably 1960's Is it inappropriate for a student to attend their mentor's dissertation defense? How to model explosives? Twin primes whose sum is a cube Alternative to sending password over mail? Do I have a twin with permutated remainders? Why do I get two different answers for this counting problem? How badly should I try to prevent a user from XSSing themselves? What is going on with Captain Marvel's blood colour? I'm going to France and my pa...
                    Read more

                    Compiling documents onlineAre any web base TEX editors with live collaboration available?Is there a web-based LaTeX or TeX editor?Creating a PDF file online from a LaTeX templateAre there any online LaTeX editors that provide the latest packages?Comparison of browser-based latex processorsCan I find something like this online?Is there a site where I can enter a latex expression, and it shows me an image of the compiled expression?Automatic online compiling systemA resource for converting LaTeX within the browserIs there an equivalent of jsfiddle for LaTeX?Online LaTeX syntax highlighterComparison of browser-based latex processorsDo the online LaTeX compilers use a TeX daemon to speed up their compilation?Undefined control sequence documentclassLaTeX Syntax Highlighting in Google DriveWhy are my Latex compile times varying massively?Online compilation with commercial fontsCompiling multiple LaTeX filesSlow compiling of large documents in TeXstudiodocument not compiling with custom .cls

                    Image
                    First time traveler, what plane ticket? “I had a flat in the centre of town, but I didn’t like living there, so …” What can I do if someone tampers with my SSH public key? How can I portion out frozen cookie dough? Insult for someone who "doesn't know anything" Does the US political system, in principle, allow for a no-party system? How does a sound wave propagate? Precision notation for voltmeters What is the purpose of a disclaimer like "this is not legal advice"? Ultrafilters as a double dual Why do phishing e-mails use faked e-mail addresses instead of the real one? Sundering Titan and basic normal lands and snow lands Increase the space between numerator and denominator My cassette model name doesn't seem to fit the actual cassette description.. (CS-HG50-9 and CS-HG500-10) New invention compresses matter to produce energy? or other items? (Short Story) SHA 256 Algorithm The (Easy) Road to Code Vector-transposing functio...
                    Read more