DahLIAS: Discrete Logarithm-Based Interactive Aggregate Signatures

The recent publication of DahLIAS by Jonas Nick, Tim Ruffing, and Yannick Seurin introduces the first interactive aggregate signature scheme with constant-size signatures (64 bytes) that is compatible with secp256k1, marking a significant advancement in the field of cryptographic protocols. The paper, available at eprint.iacr.org, showcases DahLIAS as a pivotal solution for Cross-Input Signature Aggregation (CISA), aimed at reducing transaction sizes and verification costs. Aggregate signature schemes are uniquely suited for CISA because they allow each signer to contribute their own message, unlike multi- and threshold signatures where a single message is signed by all signers. This distinction is critical for applications like Bitcoin transactions, where each input requires signing a different message.

Prior attempts at creating constant-size aggregate signatures faced challenges, such as relying on cryptographic assumptions not aligned with the discrete logarithm problem foundational to Bitcoin's secp256k1 signatures, or lacking in detailed descriptions and security validations. In contrast, the DahLIAS scheme not only offers a secure and efficient framework but also proves the security of a class of previously speculative constructions, provided key tweaking is not used.

One notable aspect of DahLIAS is its compatibility with key tweaking, which was identified as a vulnerability in other aggregate signature schemes derived from MuSig2. Furthermore, the operational efficiency of DahLIAS is highlighted through its two-round communication process for signing, where the initial round does not require knowledge of the messages to be signed. This feature, coupled with the fact that DahLIAS signatures can be verified twice as fast as half-aggregate Schnorr signatures and batch verifications of individual Schnorr signatures, positions DahLIAS as an exceptionally promising component for future CISA proposals. The authors express their openness to feedback and discussions, underscoring their commitment to contributing to the development of more efficient cryptographic solutions within the Bitcoin ecosystem.