Can Schnorr aggregate signatures be nested within other Schnorr aggregate signatures?
Schnorr signatures are a type of digital signature used in various blockchain and cryptocurrency applications. They are designed to provide parties with a secure and efficient way to verify the authenticity and integrity of messages without revealing their contents. One of the key features of Schnorr signatures is that they can combine the signatures of multiple parties into a single collective signature, known as a collective signature. In this article, we will explore whether it is possible to nest collective signatures within other collective signatures using the Schnorr protocol.
Understanding Schnorr Signatures
Schnorr signatures are based on the concept of a “blind signature,” which allows parties to sign messages without revealing their contents to others. They consist of three components: a private key (p), a public value (P), and a hash function (h). The public value P is derived from the private key p using the Schnorr hash function h(P) = r + p^k, where k is an integer parameter.
Aggregate Signatures
Schnorr aggregate signatures are used to combine the signatures of multiple parties into a single aggregate signature. An aggregate signature consists of a list of signatures (s_i), and the Schnorr hash function for each signature is combined using the hash function hAggregate(s_i).
Can aggregate signatures be nested within other aggregate signatures?
In theory, it is possible to nest aggregate signatures within other aggregate signatures using Schnorr protocols. However, there are some limitations and potential issues that need to be considered.
One approach to nesting aggregate signatures is to use a combination of the Schnorr hash function and a new hash function hAggregate2(s_i). The idea is to create a new public value P2 by combining two private keys p1 and p2 using the Schnorr hash function: P2 = hAggregate2(P1, P2). We can then derive an aggregate signature s2 from this public value using the same Schnorr hash function.
However, there are potential issues to consider:
- Security: Nested collective signatures can introduce new security risks, such as increased complexity and vulnerability to attacks. A nested batch signature can be more difficult to verify or extract information from.
- Performance: Creating and verifying nested aggregate signatures can be computationally expensive, especially for large inputs. This can make them less practical for real-world applications.
Example of use
To illustrate this concept, let’s consider an example use case where we have two parties (Alice and Bob) who want to jointly sign a message using Schnorr signatures. We will create a nested rollup signature inside another rollup signature.
Suppose Alice has a private key p1 = e1^p2^k1, where e1 is the public signing value. She wants to combine her signature with Bob’s signature to form the aggregate signature s_nested(s1, s2), where s1 and s2 are individual Schnorr signatures.
We create a new public value P2 by combining Alice’s private key p1 = e1^p2^k1 with Bob’s private key p2: P2 = hAggregate2(P1, P2) = e1^hAggregate(s1, s2).
We then derive the aggregate signature s_nested using the Schnorr hash function: s_nested = hAggregate(s1, s2)
The public value for this nested aggregate signature is P3 = e1^P2.
Conclusion
In conclusion, it is possible to nest aggregate signatures within other aggregate signatures using the Schnorr protocol. However, there are potential security and performance issues that need to be considered when creating such nested signatures. It is important to carefully evaluate the trade-offs and limitations of this approach before implementing it in a real-world scenario.
Recommendations
- Carefully consider the security risks and potential vulnerabilities introduced by nested aggregate signatures.