pull down to refresh

Should Taproot have been delayed until CISA is finalized?
1716 sats \ 17 comments \ @shibe 15 Mar 2023 bitcoin
This is a question that I posted to /r/BitcoinDiscussion a while ago and I'd be curious to hear your thoughts on this too
Cross-Input Signature Aggregation has been something that Bitcoin will likely eventually get. It'll allow you to only provide one signature for a transaction (instead of one per input), making large coinjoins (or even exchanges consolidating UTXOs) cheaper.
But reading about it, it seems that it would require introducing a new output type, as it will be incompatible with the current P2TR output.
The issue I see is that first of, this would introduce a new output type (compromises privacy). Should Taproot have been perhaps delayed until CISA? That way the incentive for upgrading to Taproot would be greater too (huge fee reductions, switching from P2PKH->Taproot-CISA would probably have yielded 70-90% fee reduction for exchanges and other users with large amount of UTXOs), which would be a win for privacy since Taproot addresses can be multisig, or script addresses, or just a simple singlesig, so more users using it would lead to more privacy for everybody.
Also, do you think this is something that maybe a hard-fork could be done over? It seems to me to be the least controversial change to Bitcoin, and doing a hard-fork would allow you to make existing + legacy outputs (Segwit P2WPKH, P2PKH and even Taproot addresses), so the savings would apply to the existing UTXOs.
It'd also avoid another trade-off of a theoretical soft-fork: That spending a CISA input with a soft-fork would likely require you to add a 1 byte place-holder to the witness section (You can't leave witness section empty apparently)
tl;dr: CISA will increase scalability of base layer and increase privacy (by making coinjoins cheaper, to the point it'd be cheaper to join a coinjoin pool than do a transaction on your own). But should it be a hard-fork?
write
preview
related posts
3101 sats \ 10 replies \ @Murch 15 Mar 2023
You’re overestimating the blockspace savings from CISA. A P2TR keypath input weighs 57.5 vB. 41 vB of that is from data that every input still needs: outpoint (36 vB), nSequence (4 vB), scriptSig length indicator (1 vB). The witness stack only contributes 66 WU.
So, assuming the CISA-compatible output had the same structure (which is reasonable) and we could just drop the whole witness stack for all but one input, the average vsize per input would asymptotically converge from 57.5 vB (one input tx) towards 41 vB as inputs grow in count on the transaction. The maximum savings would therefore be up to 28.7% of the input weight of the transaction, outputs and header remain unaffected. It’s not clear to me how that would get anyone 70–90% fee reductions.
Hard-forking in a manner as described would invalidate any pre-signed transactions created for future broadcast. For example that would destroy funds held in time-locked vaults based on pre-signed transactions for which the keys have been destroyed.
reply
10 sats \ 5 replies \ @0260378aef 16 Mar 2023
To clarify in case a reader is confused, 28.7% of the input weight is a much lesser percentage of the total weight of the transaction, depending on the ratio of inputs to outputs (in size/weight).
Savings is basically 16.5 vB for every input except 1. Let's take a big coinjoin like 100 in, 100 out. You save 16.5 x 99 so 1633.5, but the original full size was 10.5 + 43 x 100 + 57.5 x 100 = 10060.5, so your percentage savings is 16.2%.
(That's already very close to the asymyptotic best, so I don't think you can get above like 16.5% however big the tx is, and for smaller transactions the savings can be a lot lower).
reply
10 sats \ 4 replies \ @shafemtol 16 Mar 2023
28.7% would be the theoretical limit for a massive consolidation tx. But consolidation is harmful to privacy, at least in the usual case of a single owner, as it signals common ownership of all the inputs.
reply
10 sats \ 3 replies \ @0260378aef 16 Mar 2023
28.7% would be the theoretical limit for a massive consolidation tx.
28.7% of the inputs. You cannot get 28.7% savings for the whole transaction. That's what I was trying to clarify.
reply
7 sats \ 2 replies \ @shafemtol 16 Mar 2023
By massive consolidation tx I mean a tx where the total weight of the tx is dominated by the weight of the inputs. E.g. hundreds of inputs and a single output. For such a transaction you can approach the 28.7% savings limit.
reply
10 sats \ 1 reply \ @0260378aef 16 Mar 2023
oh! like a 1 output tx. yes good point, sorry. (i was focusing on coinjoin as the likely reason for a huge transaction).
reply
10 sats \ 0 replies \ @0260378aef 16 Mar 2023
Further to that of course: coinjoin aside, just considering "batching" - that is by far the main concept in people's head when they think about CISA.
You're still very right to raise it though, for a very unusual class of consolidation tx, it is indeed possible to get that much higher (but still small!) saving.
reply
1 sat \ 1 reply \ @kristapsk 15 Mar 2023
It could benefit large coinjoins like WabiSabi, with hundredths of inputs.
reply
1 sat \ 0 replies \ @shafemtol 15 Mar 2023
In WabiSabi you have hundreds of outputs as well, 43 vB each in the case of Taproot. So the maximum savings there would be around 16%.
reply
0 sats \ 1 reply \ @shibe OP 16 Mar 2023
Apologies for the confusion, what I meant is that upgrading from Legacy P2PKH would yield such a fee reduction, thus exchanges and other users would be highly incentivized to finally upgrade to both Segwit and Taproot.
It seems I also overestimated the upper bound of reductions. Going from P2PKH->Taproot + CISA would yield a 72% reduction in fees
reply
0 sats \ 0 replies \ @Murch 16 Mar 2023
Ah, I see what you mean.
reply
649 sats \ 0 replies \ @shafemtol 15 Mar 2023
I think talking about 70-90% fee reduction in the context of CISA is a bit misleading.
Assuming a spherical blockchain in a vacuum, a P2PKH input takes 148 vB, while a Taproot input takes 57.5 vB [source]. Going from P2PKH to Taproot thus saves 1 - 57.5 / 148 = 61% of vsize on the inputs. With full aggregation you could remove the 16 vB (64 bytes) signature from each input. This would save 16 / 57.5 = 28% on the inputs compared to Taproot. While the total reduction going from P2PKH to Taproot-full-aggregation-CISA would be 1 - (57.5 - 16) / 148 = 72% per input (so lower end of your figure). Of this 72% reduction, most of it, 61% / 72% = 85%, comes from going from P2PKH to Taproot with no CISA.
Also: That's for full aggregation, which requires interactivity if there are multiple signers. There's also half aggregation, which has only half the savings, but can be performed non-interactively. If for privacy you want everyone to use the same kind of signature aggregation, then you'd have to settle on half aggregation so as not to make it impractical in certain scenarios.
I wouldn't worry too much about yet another output type being introduced after Taproot. Taproot provides privacy benefits today, such as n-of-n multisig being indistinguishable from a single-sig payment. Its privacy impact will improve as more users move from older output types to Taproot, even if a Taproot v2 comes in to split the userbase later.
There will definitely not be a hard-fork over this. Hard-forks are deeply antithetical to Bitcoin. The only way Bitcoin could have a hard-fork is if some issue puts Bitcoin in a serious crisis that could not be fixed with a soft-fork.
reply
29 sats \ 0 replies \ @kristapsk 17 Mar 2023
https://github.com/BlockstreamResearch/cross-input-aggregation/blob/master/savings.org
reply
10 sats \ 0 replies \ @faithandcredit 16 Mar 2023
Cisa is great but as far as I understand it's a bridge too far and taproot signature aggregation is the best bitcoin get
reply
0 sats \ 0 replies \ @monk_cactus 17 Mar 2023
No hard forks unless it is absolutely necessary. I like knowing that people are out there running older versions of core
reply
0 sats \ 0 replies \ @jtwoodhouse 15 Mar 2023
Can't change the past
reply
10 sats \ 0 replies \ @03bebce944 16 Mar 2023
deleted by author
reply