The idea was first submitted by adiabat at May 7, 2017, in bitcoin-dev mailing list, and strengthened by Andrew Poelstra.
And recently, it’s mentioned by tevador in his Minglejingle (MJ) protocol.
I’m not putting the comments on MJ protocol here, but instead the idea of using “per-block non-interactive Schnorr signature aggregation” is quite interesting for me.
Copy & Paste tevador’s usage here:
Two Schnorr signatures
(R2, s2)of two different messages
m2with two different public keys
P2can be partially aggregated into one signature
(R1, R2, s)with
s = s1 + y*s2, where
y = Hs(Tagg, R1, R2, P1, P2, m1, m2)(or an equivalent random oracle output). The scheme can be easily extended for any number of signatures.
With this aggregation, the half payload of Schnorr signatures (R,s) in each block (i.e. the
s part) can be aggregated as one single
s and put into the block header.
I’m wondering why Bitcoin not use this aggregation scheme, or maybe in the plan? Perhaps I guess it’s not easy for Bitcoin to adapt for that because it need a new block header structure but that would affect all existing Bitcoin miner and that makes it even impossible in reality.
For MWC NIT feature, it looks possible to take this aggregation scheme for
Input signatures, to get better scalability.
It’s very appreciated to get your comments/inputs for this direction, otherwise it’s impossible to take it hasty