Aggregate signatures are not new. They have been there since the early 2000s. But building one that actually works in Bitcoin’s security model, with the elliptical curve of Bitcoin, has never been proven. Developers have speculated that it could be possible. They shared hand-wandering sketches and said: “Maybe it would work like Musig2, but about transaction inputs.” The idea lingered for years as Developer FolkloreNear, never limited to a limited extent.
That recently changed, when Jonas Nick and Tim Ruffing from Blockstream Research, together with Yannick Seurin van Ledger, published a paper who published this cryptographic ghost story into a concrete, demonstrable result. Dahlias is the first formal, safe construction of one Fully aggregated signature (CISA) scheme of constant size That works on Bitcoin’s native curve!
But that’s a lot of words, so let’s break it down:
- Full aggregation: Multiple signatures about different inputs are combined into one – and the result is a 64 byte signature whose size remains constant, regardless of how many signatories or inputs.
- Crossing: Each signator can give different inputs permission and combine all in one signature.
It does not add significant new assumptions that go beyond that are already dependent on Bitcoin. Dahlias is building a new cryptographic primitive with the same math Bitcoin is already trusting and unlocks a completely new type of signature.
Let’s talk about curves and signatures
Digital signatures are how Bitcoin proves that a user has authorized a transaction. When you are going to spend Bitcoin, your wallet uses a private key to sign a message and the network verifies that signature using the matching public key.
Bitcoin uses the Secp256k1 curve. It is fast, efficient and has been tested through fight over time. It supports characteristic schemes such as ECDSA (Bitcoin’s original characteristic algorithm) and Schnorr (Added via Taproot in 2021), which are currently the only signature schemes that are permitted by Bitcoin -Consensus.
Traditionally, the full signature aggregation trusted mathematical operations that are not supported by Bitcoin’s Curve, Secp256K1, making it seemed out of reach. These functions usually depend on other types of elliptical curves. Boneh-lynn-Shamm, for example, use a special type of curve called a clutch-friendly curve, which makes advanced operations possible, such as combining many signatures, even on different messages, in one.
The problem is that BLS signatures do not work on Secp256K1. Although Schnorr was a natural upgrade of ECDSA, because both are dependent on the same type of elliptical curve, adding BLS would be a much larger jump and a deviation from the existing Bitcoin security model. Although technically possible, the new cryptographic assumptions would introduce and add a considerable complexity to the protocol. Support a curve that is pair -friendly, such as BLS12-381would be An important change for Bitcoin.
This is part of the reason why full signature aggregation was never done on SECP256K1.
So far.
What aggregated signatures actually do
Most Bitcoin users are familiar with multisignures. In one multisy Wallet, several people jointly authorize the spending of a single UTXO or a specific “currency”. Everyone signs the same input data. This setup is useful for things like shared custody portfeilles.
Aggregated signatures work differently. Instead of signing several people who sign the same input or coin, each signer authorizes a different UTXO in a transaction. These individual signatures are then compressed in one compact evidence. With Dahlias that means a single signature of 64 byte On the Secp256K1 curve of Bitcoin that verifies all inputs at the same time.
That means that if you have five input from five different people, the transaction needs five different signatures. With an aggregated signature, all those can be bundled in one. Even if every signer issues a different input and signs another part of the transaction, the result is a signature that proves that the entire transaction is correctly authorized.
It is as if you are editing a whole list of approvals in one file. The signature is compact, but still proves that every signer has authorized his specific UTXO.
Instead of verifying 10 separate signatures, verify one.
This helps to re -tune the stimuli for privacy. By reducing the characteristic overhead to a single 64-byte certificate, Dahlias lowers the costs for combining inputs in coins, make it financially smarter to choose privacy than going without going.
Why half aggregation came close
Shortly after Schnorr signatures were introduced on Bitcoin, developers explored half-aggregationAs a way to compress multiple signatures, but they were not a fixed size. Each entry contributes to the size of the signature, so the transaction is still growing with every participant. Dahlias dissolves this by switching on full aggregation About entrances and signatories. It does not matter how many people are involved or what they sign, compress all their signatures in one constant, 64-bye proof.
What actually unlocks Dahlias
The most important advantage here is that dahlias reduce the size of complex transactions.
Dahlias uses an interactive signing process with two laps. In that respect it is comparable to Musig2, but it is not a multisignature protocol because it does not require all participants to sign the same message together. Instead, it collects different signatures on different messages during the transaction.
Dahlias is also faster to verify than to check each signature separately, up to twice as fast in some cases. Lower verification costs make it easier for more people to run full nodes, which helps to maintain the decentralization of Bitcoin over time.
It is important that Dahlias comes with strong cryptographic guarantees. The schedule includes formal security certificates. Earlier ‘folklore’ approaches of full signature aggregation this was missing, and some were even demonstrated later that they were uncertain. Fortunately they were not taken over prematurely.
It is worth repeating: Dahlias is not a multisig protocol. It is not comparable to Musig2 or Frost from a functional position, even if the comparable cryptographic building blocks shares. It serves a different purpose. It offers a new way to cod many independent approvals in one clean, verifiable package.
Future instructions
You could think: if Dahlias is so powerful, why is it not a bip? Why wouldn’t you imagine Bitcoin -Consensus?
Dahlias signatures do not resemble Schnorr or ECDSA signatures. The verification algorithm is different. Instead of taking a single public key, message and signature, a Dahlias Verifier takes frame From public keys and messages, and a single proof of 64 byte.
This makes Dahlias incompatible with the current Bitcoin consensus rules. Supporting it on the base layer would require consensus change. This article does not represent that change, but it does something equally important.
This article shows that a fully characteristic aggregation schedule for Bitcoin’s indigenous curve is possible.
That alone is an important step forward.
To be part of Bitcoin, someone should write a Bitcoin improvement proposal (BIP), perhaps even secp256k1lab using SECP256K1LAB. This means that the schedule is specified in detail, taking into account the implications for consensus and implementation and building community support. This article lays the cryptographic basis for that conversation.
The real value of the Dahlias paper is what it proves. Full characteristic aggregation on Secp256K1 is not just a thought experiment. It is concrete. It is efficient. It is safe. For years the idea lived in developer Folklore. Now it has been written down, analyzed and proven. The only thing that remains is to bring it to Bitcoin – if we want it.
This is a guest post from Kiara Bickers. The expression of opinions are completely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.
This message not ECDSA. Not schnorr. Meet Dahlias. First appeared on Bitcoin Magazine and was written by Kiara Bickers.