Inspired by a question on stackexchange (https://bitcoin.stackexchange.com/q/121209/7214), I wonder:
Is it possible to reduce the size of a transaction if it spends many UTXOs of the same address?
Let's assume some address received 10 payments, resulting in 10 UTXOs. If I were to spend the total amount, I assume the resulting transaction would contain some piece of information (signature?) 10 times - once for each UTXO used as an input.
Would it be possible to re-use this information in the script? If not, where does this limitation come from?
It is not possible. Inputs doesn't have addresses, they contain previous transaction id and output number in that transaction (called "outpoint"), so they differ regardless was they previously send to the same address or not.
Some savings might be possible in future with taproot using cross input signature aggregation, but that will require a soft fork and was left out of initial taproot deployment, because there are some unsolved issues. But also then, it wouldn't matter, were these inputs previously sent to same or different addresses.
reply
I see. Does this also mean there's no (UTXO related) duplicated data in the spending transaction?
reply
Inputs spending outputs with the same locking script repeat some of the input elements necessary to spend the input. E.g. a P2PKH input needs to reveal the public key corresponding to the public key hash appearing in the corresponding transaction output’s output script. This would need to happen again if someone spends another output with the same output script.
If we made reusing the same address cheaper that would undermine the privacy best-practice of using a new output script for every payment. I therefore see zero chance of such a change being adopted in Bitcoin.
reply
Every signature will be different as data to be signed in each input will be different, that is what matters.
Here's random example transaction I just found, it spends exact amounts from multiple inputs, sent to the same address. https://mempool.space/tx/466ddadf42d82027411b2984a6b1b0f1d9631fb05f6e61d97e7634bf34119f2e
Click on "Details" there and compare "Witness" field of each input.
reply
No, every input needs to identify which UTXO it is spending and provide an input script, script arguments, and/or witness stack that satisfies the corresponding output script. The amount of data is the same regardless whether your UTXOs were locked to the same output script or different output scripts.
reply
Also, even if it might be possible to implement such a change, I see zero chance of it being adopted, since it would financially incentivize the privacy-eroding practice of address reuse.
reply
It's not possible because there can't exist two UTXOs with the same id (a UTXO is identified by the id of the transaction that produced it and its output index). And because a signature must reference the UTXO, every signature will be different (because they sign different data).
reply
To my understanding this isn't possible. You have to provide signatures or hash preimages for every single UTXO you want to spend. They cannot be reused for several UTXOs at once because you have to prove for all of them that you own them. Nobody else knows that they all belong to the same keypair.
reply
Isn't the proof the same for all UTXOs? I know I have to prove ownership, but I don't see why the individual proofs are different, or why the proof cannot be reused.
reply
No, because each input's signature commits to the entire context of the transaction. If signatures attached to any input that spends from the same output script, you could replay transactions to spend other UTXOs that share the same output script.
reply
The signature is bound to the UTXO, so it's different for different UTXOs.
reply
It's not the same for all UTXOs - but for different reasons between signatures and hashes.
Signatures have a property called "binding" - it means the signature and what you signed are bound - the signature is a different one when you sign something else.
Hashes have properties called PR and 2PR - it means for a given hash it's impossible to find any preimage.
Another thing I just remembered: Since Segwit this isn't relevant anymore anyways. You gain nothing by making the witness smaller
Also also because maybe you find that interesting: There is a cryptography called "aggregated signatures" which lets you save multiple signatures in the same amount of space as only one signature. It works with the Schnorr Signaturescheme
reply
Pieter has a great answer on this one here: https://bitcoin.stackexchange.com/a/109475/5406
reply