Dear colleagues,
After having mentioned it in
a Twitter Space a few moments ago, I felt the need to share the idea with you even just as a draft. Utilizing
Lamport Scheme (not
signature) for better byte-efficiency in L1:
- Have signing keys consist of the current ECC key AND a Lamport chain;
- For signing of a transaction, broadcast a tuple consisting of
- the plain transaction,
- hash of the previous Lamport chain concatenated to the transaction
- commitment signed by ECC freezing its UTXO and promising that in a few blocks time the pre image of hash will be published.
- a and b (but not c) are buried in coinbase session of a block B1 by miner M1;
- If upon maturity, such pre-image is not broadcasted, signed commitment is buried in the next block and executed. As a consequence, frozen UTXO pays B1 for a and b being buried at M1's coinbase and miner M2 for burying it [the commitment] in a block B2 subsequent to maturity;
- If pre-image is broadcasted before maturity, it is buried in another block B2', pays for itself, pays M1 for burying a adn b at B1 and pays whatever else was determined in the plain transaction of item 2.a.
The whole point is that, in the typical use case in which pre-image of hash is, in fact, successfully broadcasted before maturity, commitment, the only ECC signature in this protocol is discarded, and only two Lamport hashes end up being buried at L1.
To push economy even further, we could implement a memory-hard hash like Argon2 to do the same entropy-processing trade-off already utilized for passwords, so we could have hashes of, say 12 bytes, making it 24 in total, down from 136 from ECC.