> However, the non-interactive schnorr aggregation trick[1] can be applied to merge the S values of all graftroots and signatures in a transaction into a single aggregate. With this approach only a single R value for each graftroot need be published, lowering the overhead to ~32 bytes-- the same as taproot. This has a side benefit of binding the published grafts to a particular transaction, which might help avoid some screwups.
I don't think that binding grafts to a particular transaction requires this aggregation. It seems to me that you could just sign H(txid, script) rather than H(script). I'm not aware of whether this would break aggregation. --- Daniel Edgecumbe / esotericnonsense [email protected] https://esotericnonsense.com https://danedgecumbe.com _______________________________________________ bitcoin-dev mailing list [email protected] https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
