\(X_1\)
\(X_2\)
\( R_1', R_1''\)
\( R_2', R_2''\)
\(s_1\)
\(s_2\)
\( R_i=R_i'(R_i'')^b\)
\( b = H_\textit{non}(\widetilde X,m, R_1'R_2', R_1''R_2'')\)
\( c = H_\textit{sig}(\widetilde X, R_1R_2, m) \)
\(\text{return}\ (R_1R_2,s_1+s_2)\)
\(\widetilde X=X_1^{\textcolor{#00c3ff}{}{a_1}}\cdot X_2^{\textcolor{#00c3ff}{}{a_2}}\)
\( a_i = H_\textit{agg}(X_i, \{\textit{pk}_1, \textit{pk}_2\})\)
\(X_1\)
\(X_2\)
\( R_1', R_1'', m\)
\( R_2', R_2''\)
\(s_2\)
\(\text{return}\ (R_1R_2,s_1+s_2)\)
\(\widetilde X=X_1^{\textcolor{#00c3ff}{}{a_1}}\cdot X_2^{\textcolor{#00c3ff}{}{a_2}}\)
\( a_i = H_\textit{agg}(X_i, \{\textit{pk}_1, \textit{pk}_2\})\)
\(X_1\)
\(X_2\)
\( R_1', R_1''\)
\( R_2', R_2''\)
\(s_2, m\)
\(\text{return}\ (R_1R_2,s_1+s_2)\)
\(\widetilde X=X_1^{\textcolor{#00c3ff}{}{a_1}}\cdot X_2^{\textcolor{#00c3ff}{}{a_2}}\)
\( a_i = H_\textit{agg}(X_i, \{\textit{pk}_1, \textit{pk}_2\})\)
musig(xpub1/*, xpub2/*) vs
musig(xpub1, xpub2)/*
it would mean that to the outside world, the combined wallet is just an xpub.
AggVerify((pk_1, m_1), ..., (pk_n, m_n), sig) -> {true, false}
Trivial solution:
sig = (sig_1, ..., sig_n)
Goal Nr 2: sig should be short
Note the different messages != multisignatures, MuSig, etc.
Aggregate(sig_1, ..., sig_n) -> sig
|sig| ≈ 1/2 (|sig_1| + ... + |sig_n|)
|sig| = |sig_1|
aggregation _is_ interactive
Tx-wide aggregation
can be combined with half aggregation
| | bytes | weight units |
|-----------------------------------------------+-------+--------------|
| half aggregation | 20.6% | 7.6% |
| full aggregation | 26.1% | 9.6% |
| both | 33.6% | 12.4% |
| max (like infinite large full agged coinjoin) | 41.2% | 15.2% |