Key Aggregation for Schnorr Signatures

Schnorr signatures using key aggregation sounds like a powerful tool, yet there seems to be underwhelming use of it. The purpose of this topic is to enumerate tools/articles/examples for how to do aggregated m-of-n schnorr signatures, specifically on BCH.

Resources:

• https://read.cash/@cpacia/new-musig-implementation-in-bchd-4ff95e28
• Key Aggregation for Schnorr Signatures
• Supporting Input Aggregation/MuSig using Transaction Introspection

Sidebar:

What prompted this post is just some brainstorming about how to create and maintain a federated virtual network in a decentralized way. The role of the network participants/members would be to contribute towards generation of a signature to approve some specific function. Please don’t let this detract from the topic, and what comes next is totally half-baked. I was thinking that maybe one possible approach could be to have each of the federation’s members represented by an NFT that contains that member’s details such as IP or web address for others to initiate participation in some signature generation session. Creation and destruction of the NFT would represent federation members entering and exiting the network, and this could be governed by a smart contract requiring a minimum BCH staking requirement to join the virtual network. The member could leave the network at-will by destroying the NFT to reclaim the staking requirement. Obviously the existence of the NFT doesn’t guarantee that the user (or his node) is online, it would only represent the member’s desire to be part of the federation so it would be open to sybil attacks. More brainstorming required

I was looking for info about this for making M-of-N validated oracle messages more compact and efficient:

I’m wondering this: if 2 signers sign the same message, is it possible to produce a combined public key and signature for the same message without knowing any of the secret keys or the combined secret key

context: if multiple oracles sign the same datapoint, could it be verified against some combined key instead of having to validate M signatures

Here are some links about aggregation and threshold signatures:

• Fully Distributed Non-Interactive Adaptively-Secure Threshold
  Signature Scheme with Short Shares: Efficiency Considerations and
  Implementation Note: it says that non-interactive threshold signature can’t be done with Schnorr

• Half-Aggregation of Schnorr Signatures
  with Tight Reductions

• BLS digital signature

• What are Threshold Signatures and How Chainlink Plans to Scale?

This is a very interesting topic for me. As you said, Schnorr signatures are currently only playing a minor role on Bitcoin Cash. I really don’t see them used as much as they should.

Let me point out to this presentation from the 2019 conference, by Mark Lundeberg, which made me want to learn more about Schnorr in general: Boost Privacy on Bitcoin Cash Transactions

What I understand is that it would be possible not only to use Bitcoin Cash for smart contracts (many people here are working on that) but also they can be masked as regular transactions.