[INFO - DISCUSSION] Cross-Input Signature Aggregation (CISA)

[cygan]

as the Bitcoin network continues to grow, many network participants are wondering what improvements could be implemented next to further optimize scalability, efficiency and privacy.
Cross-Input Signature Aggregation (CISA) is an approach that aims to combine multiple signatures within a transaction or even across multiple transactions into a single signature. this is made possible by the linear properties of schnorr signatures, which have been implemented in Bitcoin since the taproot upgrade in 2021.
it is important to distinguish cisa from multi-signature protocols, as these concepts are often confused: while multi-signature protocols such as musig or frost aim to combine multiple keys into a single one, cisa enables the aggregation of signatures created by different keys and for different messages. this means that signatures from different inputs of a transaction or even from several different transactions can be combined to save storage space in the Bitcoin blocks and associated costs, thus increasing efficiency.

you can find more information about the cisa upgrade on the official homepage: https://cisaresearch.org/

[ABCbits]

The potential reduction on transaction size seems to be very promising, especially when we consider resistance to increase blocksize and relative low usage of LN and other off-chain approach. While their website only mention space/fee saving on transaction-level, i wonder how much exactly space/fee could be saved when we combine transaction-level aggregation and block-level aggregation. Although i doubt many wallet or cryptocurrency services would bother support full-agg since it's interactive and require more code change on their side.

[cygan]

cisa consists of the following two models:

• half agg
• full agg

the following slides describe very well how the non-interactive model 'half agg' works
based on the average values of the blocks 833000 - 886000 this model would save about 19% in space and almost 7% in fees




https://twitter.com/Bitcoin_Devs

[Kruw]

as the Bitcoin network continues to grow, many network participants are wondering what improvements could be implemented next to further optimize scalability, efficiency and privacy.

One thing to note is that CISA does not directly improve privacy, but it makes coinjoin transactions cheaper than regular Bitcoin transactions. This shifts the incentives so that users will save money from the process of gaining privacy.

[fillippone]

I recently heard an update about CISA in an italian podcast that flagged this paper:



That happened to be on the website you linked in the OP.

Adding this thread to my "container"

A Look at Innovation in Bitcoin’s Technology Stack [complete with references]

[NotATether]

A big win for privacy of this goes through, assuming that inputs aggregated this way cannot be reverse engineered (I did not read the research paper).

I has always been a big fan of aggression, believing this is the way forward if we want to see scalability within the Bitcoin layer 1.

And now it's finally here, albeit in alpha form.

[d5000]

Very interesting stuff. Above all the implications for CoinJoins, but also for the notorious exchange consolidation transactions seem to be huge.

However, it seems quite far away still. There's only a draft BIP for half-aggregation (here). I read the research paper and one of the problems is that CISA could even reduce the privacy of some other techniques like adaptor signatures. I also read this transcript of a 2024 discussion, and one of the drawbacks seems to be that full-agg still has not formally proven to be secure. The research paper from last month doesn't mention this though, perhaps this issue has been already solved.

There's also the interactivity requirement for full-agg which seems like a major issue for CoinJoins, but not for consolidations and other txes made by single entities. Half-agg hasn't this problem.

But for those who like to read about Layer 2's there seems to be a quite interesting and recent development: a new layer 2 idea called Shielded CSV (still didn't read the paper, may be a topic for a new thread). Lightning can also benefit from it even before a consensus change.

Optech site for those wanting to delve deeper: https://bitcoinops.org/en/topics/cross-input-signature-aggregation/

[NotATether]

However, it seems quite far away still. There's only a draft BIP for half-aggregation (here). I read the research paper and one of the problems is that CISA could even reduce the privacy of some other techniques like adaptor signatures. I also read this transcript of a 2024 discussion, and one of the drawbacks seems to be that full-agg still has not formally proven to be secure. The research paper from last month doesn't mention this though, perhaps this issue has been already solved.

The bitcoin developers mostly come from a research background and therefore will most likely not implement any blockchain-related changes unless there are studies that come out which prove it to be acceptably secure.

Has half-aggregation been proven to be secure though? (I'm not going to touch any papers with a 10-foot pole at this moment. ) It could be considered some more if that's the case.

[d5000]

Has half-aggregation been proven to be secure though?

According to the discussion from 2024 linked above, yes, it is proven secure.

On the CISA research website I have found the following paragraph:

Mathematical security proof

While Schnorr signatures are provably secure just in the Random Oracle Model (ROM), half-agg requires both the ROM and the Algebraic Group Model (AGM). While this is probably not an issue in practice it would be great if AGM was not needed. For now, this just means that this would not be as conservative of an update as Schnorr signatures themselves.

See Half-agg.

In a document on Blockstream Research about half-agg I found more details about this:

In 2021 Chalkias, Garillot, Kondi and Nikolaenko published a security proof in the random oracle model (ROM) that reduces the security of half-aggregation to the security of Schnorr signatures. Chen and Zhao were able to produce a tight proof in the ROM and algebraic group model in the following year.

See here.

The Chalikas et al. proof is published here and the Chen / Zhao proof can be found here.

[cygan]

after i posted the slides on how a half-ag works here i would now like to present you the slides for the functionality of the full-agg
in this model, interactivity is the most important and all participants must take part in this procedure in order for the signature to be completed
as you can see from the last slide, the full-agg model should save a little more space and fees than the half-agg model


https://twitter.com/Bitcoin_Devs

[NotATether]

@cygan, these are nice graphics. Did you make them? These have to be placed somewhere, like on the Bitcoin Wiki for example.

So anyway, this means full-agg is basically condensing the R values in addition to the S values that are already aggregated from half-agg process.

It makes sense that its not interactive because when you combine the R values then you lose track of people's keys & signatures.

[cygan]

@cygan, these are nice graphics. Did you make them? These have to be placed somewhere, like on the Bitcoin Wiki for example.
✂

i did not create the graphics myself but obtained them (as indicated under the slides) from the following source
in any case, full-agg is more complex but also saves more on fees and space

[mcdouglasx]

Interesting, I wonder to what extent this could impact the transparency of individual transactions.

[d5000]

Interesting, I wonder to what extent this could impact the transparency of individual transactions.

The impact goes most likely in the other direction some may think. Because the connection between signatures and previous transactions to the participating UTXOs/addresses is not lost with this technique.

The problem is that not in all types of transactions the signatures can be aggregated via CISA. Thus, as the incentives should direct people into using it to save fees, eventually there will be very few non-CISA transactions left. And these would then be special cases like atomic swaps (a decentralized technique to exchange BTC to another coin) using adaptor signatures -- which is just a technique which was invented to improve privacy. Adaptor signature atomic swaps currenty don't tell the chain analysis folks / authorities that an atomic swap has been made without additional data. But if those txes are the only non-CISA transactions, chain analysis companies could perhaps use this to isolate atomic swaps and mark them as medium/high risk.

Private atomic swaps is imo a very important technique which should not be sacrificed lightly.

On the other hand, as it was already posted here, you have a fee saving effect on CoinJoins, and this means that using CoinJoins will be cheaper in most cases than not using it. In theory this should also align the incentives that everybody uses CoinJoins, at least with half-agg which doesn't require interactivity. If really everybody used CoinJoins this would make Bitcoin almost as private as Monero. And that would of course be a big win - if this is the outcome, then the problem with atomic swap privacy is almost negiglible because you would simply CoinJoin the previous/following transactions anyway.

The problem is that many users may still be scared of CoinJoins because they fear the coins being seized by some exchanges. And if these people are the large majority, privacy could be even lower than before CISA.

Doesn't want some altcoin implement this first? Let's say LTC or Dash (as they're BTC-based and could simply use the draft BIP for half-agg)? This would perhaps show us the real life implications on privacy.