Should Taproot have been delayed until CISA is finalized? \ stacker news ~bitcoin

Should Taproot have been delayed until CISA is finalized?

1716 sats \ 17 comments \ @shibe 15 Mar 2023 bitcoin

This is a question that I posted to /r/BitcoinDiscussion a while ago and I'd be curious to hear your thoughts on this too

Cross-Input Signature Aggregation has been something that Bitcoin will likely eventually get. It'll allow you to only provide one signature for a transaction (instead of one per input), making large coinjoins (or even exchanges consolidating UTXOs) cheaper.

But reading about it, it seems that it would require introducing a new output type, as it will be incompatible with the current P2TR output.

The issue I see is that first of, this would introduce a new output type (compromises privacy). Should Taproot have been perhaps delayed until CISA? That way the incentive for upgrading to Taproot would be greater too (huge fee reductions, switching from P2PKH->Taproot-CISA would probably have yielded 70-90% fee reduction for exchanges and other users with large amount of UTXOs), which would be a win for privacy since Taproot addresses can be multisig, or script addresses, or just a simple singlesig, so more users using it would lead to more privacy for everybody.

Also, do you think this is something that maybe a hard-fork could be done over? It seems to me to be the least controversial change to Bitcoin, and doing a hard-fork would allow you to make existing + legacy outputs (Segwit P2WPKH, P2PKH and even Taproot addresses), so the savings would apply to the existing UTXOs.

It'd also avoid another trade-off of a theoretical soft-fork: That spending a CISA input with a soft-fork would likely require you to add a 1 byte place-holder to the witness section (You can't leave witness section empty apparently)

tl;dr: CISA will increase scalability of base layer and increase privacy (by making coinjoins cheaper, to the point it'd be cheaper to join a coinjoin pool than do a transaction on your own). But should it be a hard-fork?

view all related items

3101 sats \ 10 replies \ @Murch 15 Mar 2023

You’re overestimating the blockspace savings from CISA. A P2TR keypath input weighs 57.5 vB. 41 vB of that is from data that every input still needs: outpoint (36 vB), nSequence (4 vB), scriptSig length indicator (1 vB). The witness stack only contributes 66 WU.
So, assuming the CISA-compatible output had the same structure (which is reasonable) and we could just drop the whole witness stack for all but one input, the average vsize per input would asymptotically converge from 57.5 vB (one input tx) towards 41 vB as inputs grow in count on the transaction. The maximum savings would therefore be up to 28.7% of the input weight of the transaction, outputs and header remain unaffected. It’s not clear to me how that would get anyone 70–90% fee reductions.

Hard-forking in a manner as described would invalidate any pre-signed transactions created for future broadcast. For example that would destroy funds held in time-locked vaults based on pre-signed transactions for which the keys have been destroyed.

10 sats \ 5 replies \ @0260378aef 16 Mar 2023

To clarify in case a reader is confused, 28.7% of the input weight is a much lesser percentage of the total weight of the transaction, depending on the ratio of inputs to outputs (in size/weight).

Savings is basically 16.5 vB for every input except 1. Let's take a big coinjoin like 100 in, 100 out. You save 16.5 x 99 so 1633.5, but the original full size was 10.5 + 43 x 100 + 57.5 x 100 = 10060.5, so your percentage savings is 16.2%.

(That's already very close to the asymyptotic best, so I don't think you can get above like 16.5% however big the tx is, and for smaller transactions the savings can be a lot lower).

10 sats \ 4 replies \ @shafemtol 16 Mar 2023

28.7% would be the theoretical limit for a massive consolidation tx. But consolidation is harmful to privacy, at least in the usual case of a single owner, as it signals common ownership of all the inputs.

10 sats \ 3 replies \ @0260378aef 16 Mar 2023

28.7% would be the theoretical limit for a massive consolidation tx.

28.7% of the inputs. You cannot get 28.7% savings for the whole transaction. That's what I was trying to clarify.

7 sats \ 2 replies \ @shafemtol 16 Mar 2023

By massive consolidation tx I mean a tx where the total weight of the tx is dominated by the weight of the inputs. E.g. hundreds of inputs and a single output. For such a transaction you can approach the 28.7% savings limit.

10 sats \ 1 reply \ @0260378aef 16 Mar 2023

oh! like a 1 output tx. yes good point, sorry. (i was focusing on coinjoin as the likely reason for a huge transaction).

10 sats \ 0 replies \ @0260378aef 16 Mar 2023

Further to that of course: coinjoin aside, just considering "batching" - that is by far the main concept in people's head when they think about CISA.

You're still very right to raise it though, for a very unusual class of consolidation tx, it is indeed possible to get that much higher (but still small!) saving.

1 sat \ 1 reply \ @kristapsk 15 Mar 2023

It could benefit large coinjoins like WabiSabi, with hundredths of inputs.

1 sat \ 0 replies \ @shafemtol 15 Mar 2023

In WabiSabi you have hundreds of outputs as well, 43 vB each in the case of Taproot. So the maximum savings there would be around 16%.

0 sats \ 1 reply \ @shibe OP 16 Mar 2023

Apologies for the confusion, what I meant is that upgrading from Legacy P2PKH would yield such a fee reduction, thus exchanges and other users would be highly incentivized to finally upgrade to both Segwit and Taproot.

It seems I also overestimated the upper bound of reductions. Going from P2PKH->Taproot + CISA would yield a 72% reduction in fees

0 sats \ 0 replies \ @Murch 16 Mar 2023

Ah, I see what you mean.

649 sats \ 0 replies \ @shafemtol 15 Mar 2023

I think talking about 70-90% fee reduction in the context of CISA is a bit misleading.

Assuming a spherical blockchain in a vacuum, a P2PKH input takes 148 vB, while a Taproot input takes 57.5 vB [source]. Going from P2PKH to Taproot thus saves 1 - 57.5 / 148 = 61% of vsize on the inputs. With full aggregation you could remove the 16 vB (64 bytes) signature from each input. This would save 16 / 57.5 = 28% on the inputs compared to Taproot. While the total reduction going from P2PKH to Taproot-full-aggregation-CISA would be 1 - (57.5 - 16) / 148 = 72% per input (so lower end of your figure). Of this 72% reduction, most of it, 61% / 72% = 85%, comes from going from P2PKH to Taproot with no CISA.

Also: That's for full aggregation, which requires interactivity if there are multiple signers. There's also half aggregation, which has only half the savings, but can be performed non-interactively. If for privacy you want everyone to use the same kind of signature aggregation, then you'd have to settle on half aggregation so as not to make it impractical in certain scenarios.

I wouldn't worry too much about yet another output type being introduced after Taproot. Taproot provides privacy benefits today, such as n-of-n multisig being indistinguishable from a single-sig payment. Its privacy impact will improve as more users move from older output types to Taproot, even if a Taproot v2 comes in to split the userbase later.

There will definitely not be a hard-fork over this. Hard-forks are deeply antithetical to Bitcoin. The only way Bitcoin could have a hard-fork is if some issue puts Bitcoin in a serious crisis that could not be fixed with a soft-fork.

29 sats \ 0 replies \ @kristapsk 17 Mar 2023

https://github.com/BlockstreamResearch/cross-input-aggregation/blob/master/savings.org

10 sats \ 0 replies \ @faithandcredit 16 Mar 2023

Cisa is great but as far as I understand it's a bridge too far and taproot signature aggregation is the best bitcoin get

10 sats \ 0 replies \ @03bebce944 16 Mar 2023

No one knows what CISA would even concretely look like. Not really clear that a sane design that doesn't dramatically increase wallet complexity is possible.

0 sats \ 0 replies \ @monk_cactus 17 Mar 2023

No hard forks unless it is absolutely necessary. I like knowing that people are out there running older versions of core

0 sats \ 0 replies \ @jtwoodhouse 15 Mar 2023

Can't change the past