Return-Path: <jonasdnick@gmail.com>
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
 by lists.linuxfoundation.org (Postfix) with ESMTP id B57D8C000B
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Fri, 18 Feb 2022 13:54:12 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp2.osuosl.org (Postfix) with ESMTP id B14874014D
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Fri, 18 Feb 2022 13:54:12 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level: 
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001]
 autolearn=ham autolearn_force=no
Authentication-Results: smtp2.osuosl.org (amavisd-new);
 dkim=pass (2048-bit key) header.d=gmail.com
Received: from smtp2.osuosl.org ([127.0.0.1])
 by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id C4v81HZJoTuB
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Fri, 18 Feb 2022 13:54:11 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com
 [IPv6:2a00:1450:4864:20::436])
 by smtp2.osuosl.org (Postfix) with ESMTPS id 448A940110
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Fri, 18 Feb 2022 13:54:11 +0000 (UTC)
Received: by mail-wr1-x436.google.com with SMTP id u1so14708255wrg.11
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Fri, 18 Feb 2022 05:54:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=from:message-id:date:mime-version:user-agent:subject
 :content-language:to:references:in-reply-to
 :content-transfer-encoding;
 bh=Anh1N5cpYfEJNbWRgOCEKiZc/pSOjPYWqSpqPpKe5rA=;
 b=P1Ow8oFg/Hs1GoN6BaTYOzJyUzB52kqFdRAJe+VpmNBGvGUh0XPFUT9K40bIFcwr4D
 jICxQXR9Pfj3Cnog7GUCiG8BvsgNun4ws7dTF9r1qc++X/I+WdfXlphKKujPSL+XNK6R
 tgL7lo4i+MzvsIKrj6JwGy65+HGpfZCwcG8fVdX615gjy3UGsydRuzuRmcoazlfJwTBM
 Hr1Yi0u4a2eV3g23rhRVX1p4jb0nlHERldZ6f9pyjTwlRoE647wIIyuLZnRT0ebeGAgi
 VP25WRG5BDdjooYxTiVgCgQpg8u8nA/leskdnt3/fpy12+1Gf7q7VDhEwN5WmzLOK57N
 joDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:message-id:date:mime-version:user-agent
 :subject:content-language:to:references:in-reply-to
 :content-transfer-encoding;
 bh=Anh1N5cpYfEJNbWRgOCEKiZc/pSOjPYWqSpqPpKe5rA=;
 b=7nf1F6vQmCky3QtftnhXHh+J2YAus9v+3GsuzSz7YdXSo1W2HtdCzI+cOflirKnoMc
 fR2lNyoEX86Dsj0wMckOPmHHYBesaIzs0477S3z5eIPfD5VYJqPRPe1+g2a4BQzJZ+ce
 N1GAbEcROFYAKVGZNimd7J9UAr9wL6V85oDg8Aog39dJpyTXjRfKRxfxT/PiDheZVAJC
 g3or9WDWbYMaqxdPU/1vTEuFlZrnGnaT+ppBuMaS+rO/cSakraQJvmi347JBgSc4IOAI
 Pn4Q2madn+TKhz7iTeO5zHgFjJbrthbDe1/ahYC+gG4fYI9tpSow7yc8kB9VTUYG5TjQ
 6X8Q==
X-Gm-Message-State: AOAM5330RPURH3m8EcSNE3TH6P28b4XjlCEK3vVfe9GhmRq9QVGTT7GE
 jdAN6hZ/J0GuMnMOqUyl3H8=
X-Google-Smtp-Source: ABdhPJxujUDNdHiDhG/kkqHE0ZsSXrL0LyRZEFKnbyXMwGJpLU9/fRtTxe0mdzYbHzpyXVUWe8k9sQ==
X-Received: by 2002:a5d:6145:0:b0:1e3:169c:197c with SMTP id
 y5-20020a5d6145000000b001e3169c197cmr6034586wrt.611.1645192449397; 
 Fri, 18 Feb 2022 05:54:09 -0800 (PST)
Received: from [10.12.10.3] (190-2-132-141.hosted-by-worldstream.net.
 [190.2.132.141])
 by smtp.googlemail.com with ESMTPSA id o20sm5138343wmq.21.2022.02.18.05.54.08
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Fri, 18 Feb 2022 05:54:08 -0800 (PST)
From: Jonas Nick <jonasdnick@gmail.com>
X-Google-Original-From: Jonas Nick <jonasd.nick@gmail.com>
Message-ID: <4adf8c88-eebd-8fd3-21af-fa059ca9d911@gmail.com>
Date: Fri, 18 Feb 2022 13:55:31 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.6.1
Content-Language: en-US-large
To: ZmnSCPxj <ZmnSCPxj@protonmail.com>,
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
References: <6nZ-SkxvJLrOCOIdUtLOsdnl94DoX_NHY0uwZ7sw78t24FQ33QJlJU95W7Sk1ja5EFic5a3yql14MLmSAYFZvLGBS4lDUJfr8ut9hdB7GD4=@protonmail.com>
In-Reply-To: <6nZ-SkxvJLrOCOIdUtLOsdnl94DoX_NHY0uwZ7sw78t24FQ33QJlJU95W7Sk1ja5EFic5a3yql14MLmSAYFZvLGBS4lDUJfr8ut9hdB7GD4=@protonmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Fri, 18 Feb 2022 13:55:08 +0000
Subject: Re: [bitcoin-dev] `OP_EVICT`: An Alternative to
 `OP_TAPLEAFUPDATEVERIFY`
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Feb 2022 13:54:12 -0000

On the topic of half aggregation, Chalkias et al. gave a convincing security
proof last year:
https://eprint.iacr.org/2021/350

As an aside, half aggregation is not exactly the scheme in the OP because that
one is insecure. This does not affect Zmn's conclusion and was already
pointed out in the original half aggregation thread:
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-May/014306.html

It is required that each of the "s"-values are multiplied with a different
unpredictable value, for example like this:
https://github.com/ElementsProject/cross-input-aggregation/blob/master/slides/2021-Q2-halfagg-impl.org#schnorr-signature-half-aggregation-1