adambor
commented
1 year ago Further thinking about this, the only reason we needed tx ids to be signatures is for PTLCs.
So for transactions which don't require signature adaptors we can keep using just a hash of transaction, instead of schnorr half-aggregated signature (as all signatures are proven to be verified inside the STARK proof anyway).
I am no cryptographer but I think for those txIds we can use just 16 bytes - providing 2^128 bits of security, I believe we don't need to care about collision resistance (which would be just 2^64), since even if someone finds another pre-image it still HAS to be a hash of a valid transaction - which it most probably won't be. Alternatively we can also pad the txIds to 32 bytes, with 16 bytes coming from transaction hash and another 16 bytes coming from block's pseudo-randomness - this is equivalent to password salting, so should provide additional resistance to multi-target attack.
If this is possible it would further cut the ephemeral data size to 21MB in the worst case (2^17 PTLC txns - 7MB, and 2^20 - 2^17 normal txns - 14MB) and in best case to 16MB (all txns normal).
EDIT: Those 16 bytes for the txIds are coming from SHA256 (or other more STARK friendly hash function like MiMC or Poseidon), by taking first 16 bytes of the full hash. Signatures for the transactions are still computed over full 32-byte hash.
EDIT2: Okay, realized that using 16 bytes is definitely not enough and collision resistance (2^64) is a real issue - which would allow double commitment by a sophisticated attacker (committing to 2 different state transition in the same transaction and being able send one to party 1 and another one to party 2, leading to double-spending of client-side-validated state). But still I believe we don't need full 32 bytes of the hash function, maybe 20 bytes is enough (recall that this is what is used for P2WKH addresses), and this could especially be the case for arithmetic based hash function (which will be used for Abraxas because of the STARK proof). Arithmetic based hash functions are several times slower to compute than binary hash functions like sha256 (but the former is much cheaper to verify inside a STARK proof).
So with 20 bytes per normal txns the ephemeral data size looks as follows: 24.5MB in the worst case (2^17 PTLC txns - 7MB, and 2^20 - 2^17 normal txns - 17.5MB) 20MB in the best case (all txns normal).
cryptoquick
In the paper we discussed adaptor signatures (required for PTLCs) and their incompatibility with schnorr half-aggregation, coming into conclusion that half-aggregation cannot be used.
But, most transactions will probably not be PTLCs, so we can do schnorr half-aggregation by default and let people opt-in for non-aggregated signatures by a version bit in a transaction.
We can limit total amount of non-aggregated signatures per block to e.g. 2^17 (~130k), to make sure those transactions have to pay a higher fees (as there is more limited space for them).
This way we will be able to cut ephemeral data size from 56MB to (in the worst case scenario) 31.5MB - almost 45% reduction!