Practicality of Half-Aggregated Schnorr Signatures

There is an article called Half-Aggregation of BIP 340 signatures by Blockstream that claims that a set of valid Schnorr signatures can be aggregated into a valid half-aggregated Schnorr signature.

They see different use cases for this that can be seen in the motivation section they give. One of them is CISA but without interaction.

The problem is that the inverse of the signature does not hold as they say:

However, the inverse does not hold: given suitable valid triples, it is possible to construct an input array to Aggregate which contains invalid triples, but for which VerifyAggregate will accept the aggregate signature returned by Aggregate. If this is undesired, input triples should be verified individually before passing them to Aggregate.

Doesn't that property negate the usefulness of half-aggregated signatures in practice if anyway all the independent signatures are needed anyway to be sure that all signatures are correct?



from Recent Questions - Bitcoin Stack Exchange https://ift.tt/34vISXM
via IFTTT

Popular posts from this blog

Future of Bitcoin encryption and security in a QC era

How will the advancement of quantum computing impact the security of Bitcoin, and what steps are necessary to protect the network from this emerging threat? What role could lattice-based encryption play in safeguarding Bitcoin, and which of the current algorithms are best suited for this purpose? How would the implementation of such encryption technology be integrated into the existing Bitcoin infrastructure, and what challenges might arise during this process? What happens to existing addresses that rely on elliptic curve cryptography? Is there a way to seamlessly transition old addresses to the new system, or would users need to actively transfer their funds to new, more secure addresses? How could such a transition be designed to ensure user security while maintaining trust in the network? from Recent Questions - Bitcoin Stack Exchange https://ift.tt/aZeY2fo via IFTTT
Read more

Possible rollback due to lazy reveal in BRC20?

Let's assume user A committed an inscription with {"op":"deploy", "tick": "test"} at block 100 (without revealing it yet). Then user B commits and reveals the exact same inscription at block 101. Because the indexer isn't aware that A's earlier commit was actually for "test," it recognizes B's "test" token as the official one. From blocks 101 to 199, users freely perform various "test" token transactions (e.g., "mint" , "transfer" ). However, at block 200, user A finally reveals their earlier commit. In that case, will the indexer roll back all "test"-related histories that happened between blocks 101 and 199? If so, can we really trust that all BRC20 tokens recognized by the indexer are "safely" the official ones? from Recent Questions - Bitcoin Stack Exchange https://ift.tt/CsYKVTa via IFTTT
Read more

A way to recover scammed Bitcoin investment

I have learned the hard way that even the most seasoned investors can fall prey to malicious actors. When my Investment was stolen, I felt a sense of betrayal and anger. But then, I discovered this FINANCE TEAM, and their professionalism and unwavering commitment gave me a renewed sense of confidence. From the moment I reached out to this Finance Team, I was impressed by their attention to detail and their deep understanding of the Stock and real estate ecosystem. They listened patiently to my story and carefully analyzed the transaction history, leaving no stone unturned in their investigation. Throughout the recovery process, This Finance Teamkept me informed of their progress, providing me with regular updates and answering my countless questions with patience and understanding. Their unwavering dedication and determination gave me a sense of hope during a time of great uncertainty. To my astonishment, This Finance Team was able to recover a significant portion of my stolen Investme...
Read more