π
Original date posted:2022-07-08
π Original message:Half-aggregation has been mentioned several times on this list in various
contexts. To have a solid basis for discussing applications of half-aggregation,
I think it's helpful to have a concrete specification of the scheme and a place
for collecting supplemental information like references to cryptographic
security proofs. You can find the BIP draft at
https://github.com/ElementsProject/cross-input-aggregation/blob/master/half-aggregation.mediawiki
Similar to BIP-340, this BIP draft specifies only the cryptographic scheme and
does not prescribe specific applications. It has not received an extensive
security review yet. Thanks to Elliott Jin and Tim Ruffing for the review so
far. One new feature that the specified scheme has is "incremental aggregation"
which allows aggregating additional BIP-340 signatures into an existing
half-aggregate signature.
While BIP-340 has a pseudocode specification and a reference implementation in
python, this BIP draft has a formal specification written in hacspec [0] and
auxiliary pseudocode. The formal specification is a mathematically precise
description of the scheme, which paves the way for computer-aided formal proofs.
Software tools ("proof assistants") allow proving properties about the formal
specification ("no integer overflow") and apply formal software verification
("implementation is behaviorally equivalent to the spec"). I don't have concrete
plans (nor the skillset) to use these techniques. Still, I think this is an
exciting area to explore because it has the potential to increase the Bitcoin
ecosystem's robustness significantly and has little downside. Since hacspec's
syntax is a subset of Rust's syntax, one can use the standard rust toolchain to
compile, execute and test the specification.
You can find a blog post that gives a broader context at
https://blog.blockstream.com/half-aggregation-of-bip-340-signatures/
[0] https://github.com/hacspec/hacspec
Jonas Nick [ARCHIVE] /
npub1atβ¦y3z5a
2023-06-07 23:11:19
in reply to nevent1qβ¦gqe4
Author Public Key
npub1at3pav59gkeqz9kegzqhk2v4j4r435x42ytf23pxs8crt74tuc8s2y3z5aPublished at
2023-06-07 23:11:19Event JSON
{
"id": "f46820ed78c26852bc44d87c7940214dc9ec2746bb5f77a7f00993e621ed0e3d",
"pubkey": "eae21eb28545b20116d940817b2995954758d0d5511695442681f035faabe60f",
"created_at": 1686179479,
"kind": 1,
"tags": [
[
"e",
"0d72a15ee72366e53511c642de2a3b7516b96b2b8bf94b48e88958ece595c21c",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "π
Original date posted:2022-07-08\nπ Original message:Half-aggregation has been mentioned several times on this list in various\ncontexts. To have a solid basis for discussing applications of half-aggregation,\nI think it's helpful to have a concrete specification of the scheme and a place\nfor collecting supplemental information like references to cryptographic\nsecurity proofs. You can find the BIP draft at\n\nhttps://github.com/ElementsProject/cross-input-aggregation/blob/master/half-aggregation.mediawiki\n\nSimilar to BIP-340, this BIP draft specifies only the cryptographic scheme and\ndoes not prescribe specific applications. It has not received an extensive\nsecurity review yet. Thanks to Elliott Jin and Tim Ruffing for the review so\nfar. One new feature that the specified scheme has is \"incremental aggregation\"\nwhich allows aggregating additional BIP-340 signatures into an existing\nhalf-aggregate signature.\n\nWhile BIP-340 has a pseudocode specification and a reference implementation in\npython, this BIP draft has a formal specification written in hacspec [0] and\nauxiliary pseudocode. The formal specification is a mathematically precise\ndescription of the scheme, which paves the way for computer-aided formal proofs.\nSoftware tools (\"proof assistants\") allow proving properties about the formal\nspecification (\"no integer overflow\") and apply formal software verification\n(\"implementation is behaviorally equivalent to the spec\"). I don't have concrete\nplans (nor the skillset) to use these techniques. Still, I think this is an\nexciting area to explore because it has the potential to increase the Bitcoin\necosystem's robustness significantly and has little downside. Since hacspec's\nsyntax is a subset of Rust's syntax, one can use the standard rust toolchain to\ncompile, execute and test the specification.\n\nYou can find a blog post that gives a broader context at\nhttps://blog.blockstream.com/half-aggregation-of-bip-340-signatures/\n\n[0] https://github.com/hacspec/hacspec",
"sig": "efeb26bb9a5804bb3b460a0e9e50fc3aabc8b4f351872e471e9844a0ac9cbb2ad4ffedecc028446058b6b2953d3941bb047c93b1a03d0c55aaa014b7441c6efd"
}