Bitcoin Forum
July 07, 2024, 01:41:46 PM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Taproot and Schnorr
Pages: [1]
« previous topic next topic »
  Print  
Author Topic: Taproot and Schnorr  (Read 118 times)
Bronsted (OP)
Newbie
*
Offline Offline

Activity: 11
Merit: 7


View Profile
December 06, 2020, 08:52:35 AM
Merited by aliashraf (2), ABCbits (1), Husna QA (1)
 #1
Hello! My sincere apologies for creating so many topics on my queries but I figured it'll be best if I could clarify my doubts and leave it open to the others as well.

So here goes:

My understanding of Schnorr and Taproot is that it alleviates the problems associated with multisig like it's lack of privacy as well as space. They allow the signatures of the multiple keys to be congregated into a single signature. But if the several signatures can be congregated into one, why can't it be used to reduce transaction size by aggregating the multiple signatures of several unspent transaction outputs into a single one? Surely if it can combine signatures of multisig, it could combine the individual signatures used to sign a normal transaction with many inputs?
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4200
Merit: 8443



View Profile WWW
December 06, 2020, 04:34:06 PM
Merited by ABCbits (1)
 #2
The efficient multisig referred to in your message requires that the spending parties interact before computing their single collective address.  This wouldn't help with spending multiple coins, since they are sent by uncoordinated parties at different times and you don't know until the moment you spend which ones you'll use.

That said, separately I did propose a way to aggregate signatures, which does allow combining the signatures of multiple keys purely at signing time (but still interactively).  This was not included in taproot for basically engineering reasons-- too much change to manage at once and there was a risk that the feature would never complete if it was too big.  The idea is that after taproot is deployed and we've learned from the usage, a new version can later be introduced which adds the aggregation along with whatever improvements are learned from the usage.  Aggregation wasn't the only thing left out either.

I'm not sure if this was ultimately wise: taproot has taken years longer than expected regardless... but it is what it is.
Carlton Banks
Legendary
*
Offline Offline

Activity: 3430
Merit: 3074



View Profile
December 07, 2020, 09:59:11 AM
 #3
The following mailing list thread suggests that any future witness versions would use a new address format: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-December/018298.html

Can we assume from this that signature-aggregation (which includes cross-input aggregation the way I read it...) will not be possible using witness v1 inputs (i.e. 1st gen schnorr inputs), assuming that the changes discussed on the bitcoin-dev mailing list come to be? It seems to me that not just the signing/verifying code needs changing to make aggregation work.
Vires in numeris
Pages: [1]
  Print  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Taproot and Schnorr
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!