Author

Topic: Do aggregate public keys expose a set-like interface? (Read 157 times)

legendary
Activity: 980
Merit: 1008
Thank you for the link gmaxwell, very interesting. So the delete operation *is* possible. I will read through the references from that link and return with more questions.
staff
Activity: 4326
Merit: 8951
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-May/014337.html

There is no simple and efficient membership proof in these sorts of accumulators.
legendary
Activity: 980
Merit: 1008
One way to view a Schnorr aggregate public key is as a non-empty set of public keys.

The interface exposed by this set of public keys includes at least the insert operation. This operation takes as input an existing aggregate public key (PKa), another public key (PKb), and returns an aggregate public key that contains both PKa and PKb.
Note that if both PKa and PKb are aggregate public keys, then this operation acts more like a union operation than insert.

One remarkable property of this set type is that its size, as a function of how many elements it contains, is constant.

Viewing an aggregate public key as a set of public keys raises the question of whether it exposes more set-like operations than just insert. For example, does it support the member operation, which takes as input an aggregate public key PKagg, another public key PKsingle and returns true if PKsingle is contained within PKagg and false otherwise.
Perhaps this operation can be implemented only by requiring more input data, such as a signature (created by the corresponding private key of PKsingle) over a challenge created for the purpose of proving membership?

Another useful operation would be delete, which takes as input an aggregate public key PKagg, another public key PKsingle and returns an aggregate public key that contains all the keys of PKagg except PKsingle.

I am not aware of any other example of constant-sized set, which is why I'm intrigued by this possibility. I realize these operation may require multiple rounds (similar to producing an aggregate signature), but regardless I still think the possibility of a set-like interface for aggregate public keys holds great potential, which is why I want to start this discussion.
Jump to: