-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Schnorr half-aggregation by default, opt-in non-aggregation #12
Comments
Further thinking about this, the only reason we needed tx ids to be signatures is for PTLCs. So for transactions which don't require signature adaptors we can keep using just a hash of transaction, instead of schnorr half-aggregated signature (as all signatures are proven to be verified inside the STARK proof anyway). I am no cryptographer but I think for those txIds we can use just 16 bytes - providing 2^128 bits of security, I believe we don't need to care about collision resistance (which would be just 2^64), since even if someone finds another pre-image it still HAS to be a hash of a valid transaction - which it most probably won't be. Alternatively we can also pad the txIds to 32 bytes, with 16 bytes coming from transaction hash and another 16 bytes coming from block's pseudo-randomness - this is equivalent to password salting, so should provide additional resistance to multi-target attack. If this is possible it would further cut the ephemeral data size to 21MB in the worst case (2^17 PTLC txns - 7MB, and 2^20 - 2^17 normal txns - 14MB) and in best case to 16MB (all txns normal). EDIT: EDIT2: So with 20 bytes per normal txns the ephemeral data size looks as follows: |
So upon further inspection of schnorr signatures I realized that the only part you care about for adaptor signatures is the tweaked s value, recall that the signature is a pair (R, s), where R is an elliptic curve point (encoded as Y only coordinate) and s is a scalar. We can therefore drop the R point from the ephemeral data (the signature is properly verified with (R, s) inside the STARK proof, so we don't need it for verification again), and leave only the scalar s - with this the ephemeral data per PTLC tx is 28 bytes. In such a case there is little point anymore to separate PTLC and non-PTLC transactions, since both would be almost the same size, this leads to ephemeral data size per block of 28MB and all the txns can be PTLC (so you have enough space to settle 1M stuck lightning PTLCs in a single block). |
That's incredible... To close this out, a PR should be made to update the README to capture this thinking. |
In the paper we discussed adaptor signatures (required for PTLCs) and their incompatibility with schnorr half-aggregation, coming into conclusion that half-aggregation cannot be used.
But, most transactions will probably not be PTLCs, so we can do schnorr half-aggregation by default and let people opt-in for non-aggregated signatures by a version bit in a transaction.
We can limit total amount of non-aggregated signatures per block to e.g. 2^17 (~130k), to make sure those transactions have to pay a higher fees (as there is more limited space for them).
This way we will be able to cut ephemeral data size from 56MB to (in the worst case scenario) 31.5MB - almost 45% reduction!
The text was updated successfully, but these errors were encountered: