Aggregated signatures are not new. They have been around since the early 2000s. However, it has not been proven to build something that actually works with Bitcoin’s security model with Bitcoin’s elliptic curve. The developers speculated that it was possible. They shared a sketch of the handwaves and said, “Maybe it will work like musig2, but it will work across the input of the transaction.” This idea has been around for years Developer’s Folklorenever proven closely.
That changed recently when Jonas Nick and Tim Ruffing of Blockstream Research, along with Yannick Seurin, published a paper that transformed the ghost story of this cryptographic into concrete and provable results. Dahlia The first formal and safe structure of a Complete Constant Aggregation Signature (CISA) Scheme It works with Bitcoin’s native curve!
But that’s a lot of words, so let’s break it down:
- Complete collection: Multiple signatures across different inputs are combined into one. The result is a 64-byte signature that remains constant in size regardless of the signer or number of inputs.
- Cross input: Each signer can approve different inputs, all can be combined into one signature.
It does not add any important new assumptions beyond what Bitcoin already depends on. Dahlias builds new encryption primitives using the same mathematics bitcoin that they already rely on, unlocking a whole new kind of signature.
Let’s talk about curves and signatures
A digital signature is the way that Bitcoin proves that the user has approved a transaction. With Bitcoin, the wallet signs the message using a private key, and the network verifies its signature using a matching public key.
Bitcoin uses SECP256K1 curve. It is fast, efficient and has been combat-tested over time. Supports signature schemes like ecdsa (the original signature algorithm for Bitcoin) and Schnod (Added via Taproot in 2021). This is currently the only signature scheme permitted by the Bitcoin Consensus.
Traditionally, full signature aggregation seemed out of reach as it relied on mathematical operations not supported by SECP256K1, which is not a Bitcoin curve. These functions usually rely on other types of elliptic curves. For example, BLS (Boneh – Lynn – Shacham) signatures use a special kind of curve called pairing-friendly curves.
The problem is that the BLS signature does not work with SECP256K1. Schnorr was a natural upgrade from ECDSA, but both rely on the same kind of elliptic curves, so adding BLS is a much bigger leap and leaves Bitcoin’s existing security model. Technically possible, but introduces new encryption assumptions and adds significant complexity to the protocol. Supports curves that are gentle on pairing BLS12-381it will be Big changes in Bitcoin.
This is part of the reason why there has never been a full signature aggregation in SECP256K1.
Until now.
What aggregation signature actually does
Most Bitcoin users are familiar with multi-signals. in Multisig Wallets, multiple people jointly allow for a single UTXO or a specific “coin” spending. Everyone signs the same input data. This setup helps with things like shared custody wallets.
Aggregated Signature Different behavior. Instead of multiple people signing the same input or coin, each signer approves a different UTXO in a transaction. These individual signatures are compressed into one compact proof. In Dahlias, it means a Single 64-byte signature With a Bitcoin SECP256K1 curve that validates all inputs at once.
This means that if you have five inputs from five different people, the transaction requires five different signatures. Aggregated signatures allow you to bundle them all into one. Even if each signer spends different inputs and signs different parts of the transaction, the result is one signature that proves that the entire transaction has been properly approved.
It’s like zipping an entire list of approvals into one file. The signature is compact, but it still verifies that each signer has approved a particular UTXO.
Instead of verifying 10 individual signatures, check one.
This will help you re-adjust your privacy incentives. By reducing the signature overhead to a single 64-byte proof, Dahlias reduces the cost of combining coin join inputs. Be financially smarter to choose privacy than to choose privacy.
Why did half of the aggregation approach?
The developer investigated shortly after Schnorr signatures were introduced to Bitcoin Half coagulationas a way to compress multiple signatures, but they were not of fixed size. As each input contributes to the size of the signature, the transaction still grows with all participants. Dahlias will enable this and fix it Completely coagulated Beyond input and signer. No matter how many people are involved or what they are signing, all signatures are compressed into one constant size of 64-byte proof.
What Dahlia actually unlocks
The main advantage here is that dahlias reduce the size of complex transactions.
Dahlias uses a two-round interactive signature process. It’s similar to Musig2 in that respect, but not a multi-signature protocol as all participants do not have to co-sign the same message. Instead, they aggregate different signatures of different messages across transactions.
Dahlias is also faster to check each signature at up to twice the speed in some cases. Lower verification costs make it easier for more people to run full nodes, allowing Bitcoin to remain decentralized over time.
Importantly, Dahlias comes with a strong encryption guarantee. This scheme includes formal security proofs. Previous “folktale” approaches to full signature aggregation did not do this, some later showed uneasiness. Fortunately, they were not adopted prematurely.
It’s worth repeating: Dahlias is not a Multisig protocol. Sharing similar encryption components is not comparable to MUSIG2 or frost from a functional standpoint. It serves another purpose. It provides a new way to encode many independent authorizations into one clean, verifiable package.
Future direction
You may think: If dahlia is so powerful, why isn’t it a vid? Would you like to propose for the Bitcoin Consensus?
Dahlias’ signatures don’t look like Schnorr or ECDSA signatures. The validation algorithms are different. Instead of taking a single public key, message, or signature that Dahlias Verifier takes list Public keys and messages, and a single 64-byte proof.
This makes Dahlias incompatible with Bitcoin’s current consensus rules. A consensus change is required to support it in the basic layer. This paper does not propose any changes to that, but does something just as important.
This paper shows that a complete signature aggregation scheme for the native curve of Bitcoin is possible.
That’s the only major step forward.
To make Dahlia a part of Bitcoin, someone will need to write a Bitcoin Improvement Proposal (BIP). That means specifying the scheme in detail, taking into account consensus and implementation impacts and building community support. This paper lays the foundation for encryption of that conversation.
The true value of Dahlias paper is what it proves. The complete signature aggregation of SECP256K1 is more than just a thought experiment. It’s concrete. It’s efficient. It’s safe. For years, the idea lived in the developer folktales. Now it’s been written down, analyzed and proven. All that remains is to bring it to Bitcoin.
This is a guest post by Kiara Bickers. The opinions expressed are entirely unique and do not necessarily reflect the opinions of BTC Inc or Bitcoin Magazine.
This post is not ecdsa. It’s not Schnorr. Meet Dahlia. It first appeared in Bitcoin Magazine and is written by Chiara Vickers.
