What is Signature Aggregation?

Signature aggregation as it relates to cryptocurrency is a process that joins two or more digital signatures into a new and unique signature. This new aggregate signature can be used to validate multiple inputs on the blockchain.

Digital signatures are one of the fundamental building blocks of the Bitcoin blockchain. They allow users to send and receive Bitcoins in a transaction, as well as claim ownership of those Bitcoins and secure them in a wallet.

Schnorr Signatures

The most useful signature aggregation scheme for Bitcoin is Schnorr signatures. Schnorr signatures were patented in the 1980s by Claus-Peter Schnorr.

Schnorr signatures offer many advantages over current signature schemes (Bitcoin currently uses ECDSA [Elliptic Curve Digital Signature Algorithm]). Satoshi chose ECDSA because Schnorr signatures lacked standardization, were still under patent, and lacked widespread adoption. ECDSA on the other hand was open-source, standardized and widely adopted.

Signature aggregation can provide several advantages for blockchain over ECDSA.

Scalability
Optimization
Improved Operability & Privacy

Scalability

One of the most obvious hurdles for existing cryptocurrencies is scalability. Both proof of work and proof of stake mechanisms can encounter problems as they grow due to the magnitude of data that must be recorded.

Digital signatures account for approximately 60% of data recorded on the Bitcoin blockchain, so potential space savings from aggregating signatures are significant. Signature aggregation can improve scalability by compressing data while also maintaining security.

Let’s say that users of your blockchain generate several signatures (S1, S2, S3,…) when a public key (PK1, PK2, PK3,….) interacts with transaction data (TD1, TD2, TD3,…). To maintain consensus, the blockchain must record each signature so other users can verify them.

An aggregate signature can combine any number of signatures into a single signature (S) that can then be used to verify each entry in a group of transaction data (TD1, TD2, TD3,…) with their corresponding public key (PK1, PK2, PK3,…). With signature aggregation it is possible for large segments or even entire blocks to compress their digital signatures into a single aggregate signature.

Potential Space Savings

There are many proposed schemes for implementing signature aggregation, each with their own benefits and trade-offs.

If you need to store 1,000 signatures and each signature is 70B, combining 1,000 signatures would reduce 70KB of data down to 70B with complete aggregation.

Bitcoin transactions will often have multiple inputs which require a unique signature. The signatures of each input can be combined into a single ‘Interactive Aggregate Signature (IAS)’, increasing the potential capacity of each block while limiting aggregation to each transaction.

Multi-sig transactions have also increased over time. As more users start to adopt payment channels and other layer 2 technologies built on the blockchain, these multi-sig transactions will continue to increase – making it even more important to optimize and compress their data.

Multi Sig Transactions graph — This chart shows the historical growth in Pay-to-script-hash outputs (traditional form of multi-sig transactions) distinguished in color by their multi-sig setup.

Optimizations & Efficiency

Signature aggregation has immediate effects of efficiency and speed of the blockchain.

scheme can compress large transactions with dozens of signatures down to a single signature and public key. This removes the requirement of validating numerous signatures for a single transaction.

Energy costs and resource allocation are two of the most often repeated disadvantages of modern cryptocurrencies. Compressing the data and work needed for validation at the base level is appealing to both developers and users.

Improved Operability & Privacy

Signature aggregation can also allow multiple parties to produce a single signature that works for each of their public keys.

Multi-sig functionality for Bitcoin has been limited to special Pay-to-script-hash (P2SH) scripts where each party must submit their public key and signature. This makes it easy for observers to identify multi-sig transactions on the blockchain as well as each party involved.

Signature aggregation schemes such as Schnorr signatures will aggregate data into a single signature, which is indistinguishable from conventional transactions. These compressed signatures will ensure privacy for multi-sig transactions.

This new functionality will lay the foundation for smart contracts and other transactions that require multiple signatures. Tap root, Atomic Swaps & MAST will all make use of signature aggregation.

Security Concerns for Signature Aggregation

Signature aggregation has been in development for several years; however, Bitcoin’s development team must be cautious to maintain the security of the blockchain. An exploit found on the Bitcoin blockchain could potentially cost users hundreds of millions of dollars directly, and Bitcoin holders hundreds of billions if public trust in the integrity of the blockchain fails.

Signature aggregation presents the possibility of a rogue attack where bad actors use the exploit to retrieve partial signatures and other information that could be used to calculate a valid digital signature.

Also, the breadth of signature aggregation increases the risk. If the signatures for a large number of transactions were aggregated, a successful rogue attack would create the possibility of the attacker stealing the funds from a large number of transactions.

Conclusion

In conclusion, the promises of scalability, efficiency and increased privacy through signature aggregation puts it at the top of the list for blockchain improvements.

Developers are justifiably cautious given the potential cost of an exploit.

Researchers have recently made progress with intermediate improvements such as half-aggregation. The ultimate goal is to replace ECDSA with Schnorr signatures to realize all of the advantages signature aggregation can bring to the Bitcoin blockchain.