ethfinance

Don't forget, the Ethereum Foundation is doing an AMA! Here is my favorite comment in the thread, by Justin Drake, pasted (mostly) in its entirety so that you don't have to jump over to Reddit to read it (the technical stuff at the end got cut off cause kbin has a 5000 character limit).

What are one-shot signatures

One-shot signatures are magical cryptographic signatures where the private key can only sign a single message. One-shot signatures exist (so far only in theory, here) thanks to quantum physics. The private key is a quantum superposition which cannot be copied (see quantum no-cloning) and which must be measured (and therefore destroyed) to produce a signature.

Importantly, the signatures themselves are normal bits and bytes and one-shot signatures do not require quantum communication between parties.

why are they so special?

One-shot signatures are exciting because they significantly open up the cryptographic design space, even beyond indistinguishability obfuscation which is commonly (and incorrectly!) seen as the pinnacle of cryptography. For blockchains specifically, they are a tool to tackle long-standing problems. Specifically, one-shot signatures give us:

• slashing removal: The double vote and surround vote slashing conditions can be removed.
• perfect finality: Instead of relying on economic finality we can have perfect finality that is guaranteed by cryptography and the laws of physics.
• 51% finality threshold: The threshold for finality can be reduced from 66% to 51%.
• instant queue clearing: The activation and exit queues can be instantly cleared whenever finality is reached without inactivity leaking (the default case).
• weak subjectivity: Weak subjectivity no longer applies, at least in the default case where finality is reached without the need for inactivity leaking.
• trustless liquid staking: It becomes possible to build staking delegation protocols like Lido or RocketPool that don't require trusted or bonded operators.
• restaking-free PoS: It becomes possible to design PoS where restaking is neutered.
• routing-free Lightning: One can design a version of the Lightning network without any of the routing and liquidity issues.
• proof of location: One can design proof-of-geographical-location which use network latencies to triangulate the position of an entity, without the possibility for that entity to cheat by having multiple copies of the private key.

(technical) How can one-shot signatures be used in consensus?

Going from one-shot signatures to removing slashing conditions and getting perfect finality is relatively easy. The key idea is to create append-only chains of one-shot signatures where every signature signs over the public key for the next one-shot signature. These signature chains can be made stateful, i.e. they can be assigned a state that must evolve according to a specific state transition function for the signatures to be valid.

To illustrate, imagine that every signature signs over a counter representing the epoch number, and that the state transition function requires the epoch number to be strictly increasing for the signature to be valid. By construction it's impossible to have a valid signature chain with the same epoch number, thereby preventing the possibility to equivocate by signing two messages with the same epoch number.

In order to prevent both double votes and surround votes it suffices for the signature chain to hold source and target counters in its state, and for the state transition function to enforce the following two conditions:

• previous_source <= current_source
• previous_target < current_target

https://www.reddit.com/r/ethereum/comments/14vpyb3/ama_we_are_ef_research_pt_10_12_july_2023/jrnyxa8/