Signature aggregation is a very hot topic for most Bitcoin Developers, as they are trying to implement a way to help the network save resources, and improve the overall experience of this global decentralized network.
After analyzing the available options, developer Gregory Maxwell concludes that using Schnorr Signatures to batch inputs together can reduce the size of transactions by ~40%. This is especially helpful for transactions with multiple inputs, as the currently are bloated. For comparison, the typical transaction size for a one-input, one-output simple transaction is 250kb. Most transactions today however are multiple-inputs, so the size currently averages around 500-600kb. Implementing signature aggregation would lower this to 300-360kbs, opening up room for more transaction throughput in the long term.
By default, the current algorithm used by Bitcoin right now is called Elliptic Curve Digital Signature Algorithm (ECDSA), and the Bitcoin Core Developer team considers to change this. Schnorr’s Algorithm, the replacement, is an improved ECDSA, and while it also uses the elliptic curve digital signature, additionally it improves the core experience and provides various benefits to the transactional equation.
Instead of creating and verifying a hash for every single input for a transaction, the Schnorr Signature captures the essence of the entire transaction and minimizes the number of resources necessary to write it down, safe and sound on the blockchain. Additionally, Schnorr signatures are enabling the aggregation of multiple signatures into a single one, e.g. one that is valid for every holder of a multisig wallet. The developers explain that they call this “Native MultiSig”.
With the increase of multisig wallets and transactions, we can easily understand why the devs are focusing on improving this aspect of Bitcoin. Instead of many keys, using only one saves some time and energy. This results in smaller data packets, thus increasing the long-term capacity of the network.
Another benefit worth mentioning is the increase in privacy. Currently making a multisig transaction is visible and transparent in terms of who co-signed a transaction. When using Schnorr’s algorithm for signature aggregation, the transaction details are obscured and the entire data set is similar to one of a conventional single public key transaction.
Exposed and Fixed Vulnerability
Multisig transactions that have used Schnorr’s algorithm to obfuscate the ownership details from the public have been cracked through a method called cancellation, where a malicious actor intervenes and mimics the public key of the stakeholders. Effectively gaining control over the multisig account (2-of-2 in this example) with the use of only one (out of two) signatures. This was further explored by Pieter Wuille and he presented a solution that removes the possibility of the above-mentioned scenario.
Schnorr’s signature aggregation would be a significant improvement to the Bitcoin protocol, and would provide a reduction in transaction sizes anywhere from 19% for single input transactions, up to 40% when applied to multisig, multi-input, and multi-output transactions.
With the vulnerability of cancellation denied, should there be no other security issues discovered, I expect that we will encounter a BIP to implement Schnorr Signature as a standard very soon. The Bitcoin Core developers already spoke about this on their Blog, and there are other sources that suggest a highly compatible implementation path for Schnorr into Bitcoin.
Additional notes: Zurich 2016 Meeting