Since the title of this thread is about future-proofing, there is one important future you are missing. With schnorr-based multisig on secp (and its variants such as 25519-dalek, ristretto, etc. but NOT orginary 25519), you can have multisig proofs that are effectively indistinguishable from single signature proofs. This is because schnorr can be additive. This allows for some important privacy options — you can know that an aggregate threshold of multiple people signed it, but not specifically who. The terms I have been using is accountable signatures where if you need who signed it and how many (the traditional multisig in bitcoin), and non-accountable signatures (now available as option in bitcoin taproot). It also solves some business issues, as you can have a signature that approves new stock shares signed by an accountable super-majority of board of directors, or by 50+1 stockholders, who need coercion resistance to the more powerful members and thus need to be able to non-accountably vote anonymously. You can also combine these with a smart signature. In addition, this ability has an impact on the future of chain signatures. You can just add all the previous schnorr signatures and provide only the aggregate of the chain. It is only valid if the all the chain is valid, but does not require the chain itself, only the signature of the last entry. There is also something also called adapter signatures which is relevant to the future, which means you can't verify the signature without an offline secret generated separately. This is often used with payments, where the signature is not valid unless the fee has been paid, thus revealing the secret you need. Issue now, pay later! Let me know if these are interest to you — Blockchain Commons has on our roadmap to demonstrate these this year with CBOR, but could be funded to demonstrate with LD-Proofs. -- Christopher Allen
Received on Friday, 14 January 2022 18:21:47 UTC