The optimal SNARK-less on-chain scaling solution


Since people are actively discussing I would like to propose a simple and better solution which does not use SNARKs. SNARKs are in my view grossly overhyped at the moment.

The solution goes as follows:

  1. Users submit transactions to the operator, using user indexes instead of user public keys to save space.
  2. The operator combines signatures in a block B.
  3. The operator submits the block back to every user from this block.
  4. The user creates a BLS signature share and sends it back to the operator.
  5. The operator waits a while, combines signatures into a multi-signature and
    sends B, the multi-signature, and the list of users that signed to the smart contract.
  6. The smart contract verifies the signature and saves the block into Ethereum log storage.
  7. To enter you simply deposit money, which will post a corresponding log entry. You can exit by passing your coin to someone who wants to enter.
  8. To find out how much money anyone has, just follow the on-chain history from the beginning of time.
  9. If someone tries to withdraw more than this person has, simply assume that the transaction size is the maximum of what the person has and the transaction value.

Note that this is totally on-chain and no exit required at all. Also there could be any number of operators, concurrently posting.

If you, say, have a billion of indices, (32 byte indices) you can have the price of the index go to infinity Bancor style, and if you release an index, you get your money back.


Nice idea, would be nice to hear some numbers on a few things

Are the users signing different data or the same? Its dififcult to aggragate BLS signtures when the data is different.

How many signatures can you aggragate in BLS signtures? How difficult is this?

Also i think there is some dos attacks in step 4 when users refuse to join a block forcing everyone else to recalulate their group signtures, or maybe i am missing something.


That’s a key weakness. The verification costs of an aggregate signature are at least one pairing per distinct message, which equates to one pairing per transaction. Each pairing costs 80,000 gas so the current gas limit (8,000,000) would allow for less than 100 transactions per block (~6 transactions per second, worse than standard 21,000 gas transactions).


So the coins can never leave the contract? This means that the value of the coins on the side-chain will not be the same as on the main chain. For a side-chain to work, we need a proper exit mechanism.

As I understand it the users will sign the block hash, so the signatures will be on the same message. This means verification needs only 2 parings.

If you do not sign the block, your transaction will still be in the block, but not in the list of users that signed, so the transaction is ignored. Next time the operator will less likely include your transaction in the block.


It requires at least one G2 multiplication for BLS verification which costs around 2M gas.
Do you think schnorr signature aggregation also works?