Jonas Nick [ARCHIVE] on Nostr: 📅 Original date posted:2022-07-17 📝 Original message:To be clear, whether "half ...
📅 Original date posted:2022-07-17
📝 Original message:To be clear, whether "half aggregation needs a new output type or not" does not
become clear in the draft BIP because it is out of scope. Half-aggregation has a
few possible applications. The draft only specifies the cryptographic scheme.
The StackExchange post you link to argues that CISA requires a new output type.
The same argument applies to half aggregating signatures across transaction
inputs (CISHA, if you will). The only difference to "full aggregation" is that
the transaction signature is a single half-aggregate signature instead of a
64-byte signature. You're right that it's possible to do batch verification of
Taproot output key spends (Schnorr signatures) and script spends (key tweaks).
📝 Original message:To be clear, whether "half aggregation needs a new output type or not" does not
become clear in the draft BIP because it is out of scope. Half-aggregation has a
few possible applications. The draft only specifies the cryptographic scheme.
The StackExchange post you link to argues that CISA requires a new output type.
The same argument applies to half aggregating signatures across transaction
inputs (CISHA, if you will). The only difference to "full aggregation" is that
the transaction signature is a single half-aggregate signature instead of a
64-byte signature. You're right that it's possible to do batch verification of
Taproot output key spends (Schnorr signatures) and script spends (key tweaks).