[bitcoin-dev] CoinPools based on m-of-n Schnorr aggregated signatures

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

From: Sridhar G <sridhar87@gmail•com>
To: bitcoin-dev@lists•linuxfoundation.org
Subject: [bitcoin-dev] CoinPools based on m-of-n Schnorr aggregated signatures
Date: Sun, 15 Nov 2020 23:18:17 +0100	[thread overview]
Message-ID: <CAF8yEM_gur=r2WvQ=y3bE53cfds=gQT3se-GAspHvMQzUnW-9Q@mail.gmail.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 3134 bytes --]

Hi everyone,

N-of-n multisig transaction using Schnorr aggregate signature is trivial
and is similar to the current P2PKH. I would like to propose a model for
m-of-n multisig transactions using Schnorr aggregate signatures and use
this to enable CoinPools for off-chain scalability.

1. Creating the pool

A transaction is made on the bitcoin network with an output having the
following script:

<pub_key_1> <pub_key_2> <pub_key_3> .. <pub_key_N> N M OP_POOL

Bitcoin network will create a ‘pool’ with all the ‘N’ public keys and note
down the threshold M for this pool. This UTXO would be referred as <POOL_ID>

2. Depositing money to pool

Deposits can be made to a pool with <POOL_ID> with the following script

<POOL_ID> OP_LOAD_POOL_AGG_PUB_KEY OP_CHECKSIG

3. Redeeming money from pool

Redeem script would contain the aggregated signature from all signers and
the bitmap of signers.

*<AGG_SIG> <SIGNERS_BITMAP>* <POOL_ID>  OP_LOAD_POOL_AGG_PUB_KEY
OP_CHECKSIG

With <AGG_SIG> <SIGNERS_BITMAP> provided by the person that redeems money
from a pool, where

<AGG_SIG> - is the aggregated signature

<SIGNERS_BITMAP> - Is a bitmap representing whether the member of the pool
at position 'i' of bitmap has signed or not(1 = signed, 0 - has not signed)

So we will be introducing two new opcodes:

   1.

   OP_POOL - this will be used to create a new coin pool.
   2.

   OP_LOAD_POOL_AGG_PUB_KEY - This opcode does three things
   1.

      loads the pool (POOL_ID)
      2.

      checks if there are atleast 'm' signers (based on SIGNERS_BITMAP)
      3.

      aggregates the public key of the signers. (based on SIGNERS_BITMAP)

      The opcode uses the top two elements from the stack- the first
element from the stack specifies the POOL_ID to load, which will load the
public keys from the pool. This opcode also checks if there are ‘M’
signers(as specified at the time of creation of the pool) and aggregates
the public keys that have signed based on SIGNERS_BITMAP using Schnorr
aggregate signature scheme and puts back this aggregated public key onto
the stack.

SIGNERS_BITMAP is a 32 byte value, and represents a bitmap of which public
keys from the pool have signed the transaction.

Having this scheme would enable-

   1.

   Scalability of m-of-n multisig transactions - People can deposit money
   to a pool(with 32 byte SIGNERS_BITMAP, we can allow for 256 possible
   signers).
   2.

   Trust minimized off-chain scalability solutions due to the use of a
   sufficiently large pool of signers. Most existing pools might allow for
   only a few signers as having many signers would mean higher transaction
   cost.

Downsides:

   1.

   We need to have the public keys of the members of the pool exposed.

Despite the downsides of exposing public keys, do you think this would be a
viable scheme for enabling CoinPool for the Bitcoin network? Or, any scheme
that may expose public keys is a no-go in the Bitcoin network?

Thanks! Looking for your feedback and thoughts on this.

-Sridhar

[-- Attachment #2: Type: text/html, Size: 15944 bytes --]

next             reply	other threads:[~2020-11-15 22:18 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-15 22:18 Sridhar G [this message]
2020-11-16  1:32 ` ZmnSCPxj

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAF8yEM_gur=r2WvQ=y3bE53cfds=gQT3se-GAspHvMQzUnW-9Q@mail.gmail.com' \
    --to=sridhar87@gmail$(echo .)com \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox