CISA: Cross-Input Signature Aggregation Explained

13 replies 169 views
nick.oracleFull Member
Posts: 111 · Reputation: 724
#1Dec 11, 2019, 02:21 PM
As Bitcoin keeps expanding, a lot of people in the network are curious about what changes could come next to boost scalability, efficiency, and privacy. Cross-Input Signature Aggregation (CISA) is a method that tries to merge several signatures from a transaction or even different transactions into one single signature. This is made possible thanks to the linear nature of schnorr signatures, which are part of Bitcoin since the taproot upgrade back in 2021. Now, CISA is different from multi-signature setups, which can be a bit confusing. Unlike multi-signature methods like musig or frost that focus on combining multiple keys, CISA is all about merging signatures made by different keys for different messages. So basically, it allows for signatures from various inputs of a transaction or even from multiple transactions to be combined, helping save space in Bitcoin blocks and cut down on costs, making everything more efficient. If you wanna dig deeper into the CISA upgrade, check out their official site.
3 Reply Quote Share
hash_bossLegendary
Posts: 1166 · Reputation: 5261
#2Dec 12, 2019, 10:05 AM
The potential reduction on transaction size seems to be very promising, especially when we consider resistance to increase blocksize and relative low usage of LN and other off-chain approach. While their website only mention space/fee saving on transaction-level, i wonder how much exactly space/fee could be saved when we combine transaction-level aggregation and block-level aggregation. Although i doubt many wallet or cryptocurrency services would bother support full-agg since it's interactive and require more code change on their side.
2 Reply Quote Share
nick.oracleFull Member
Posts: 111 · Reputation: 724
#3Dec 12, 2019, 02:41 PM
cisa consists of the following two models: half aggfull agg the following slides describe very well how the non-interactive model 'half agg' works based on the average values of the blocks 833000 - 886000 this model would save about 19% in space and almost 7% in fees https://twitter.com/Bitcoin_Devs
1 Reply Quote Share
atlas_2015Senior Member
Posts: 151 · Reputation: 999
#4Dec 12, 2019, 08:40 PM
One thing to note is that CISA does not directly improve privacy, but it makes coinjoin transactions cheaper than regular Bitcoin transactions. This shifts the incentives so that users will save money from the process of gaining privacy.
0 Reply Quote Share
falcon_diamondFull Member
Posts: 113 · Reputation: 406
#5Dec 13, 2019, 12:53 AM
I recently heard an update about CISA in an italian podcast that flagged this paper: That happened to be on the website you linked in the OP. Adding this thread to my "container" A Look at Innovation in Bitcoin’s Technology Stack [complete with references]
1 Reply Quote Share
LuckyCoinLegendary
Posts: 832 · Reputation: 4795
#6Dec 13, 2019, 04:42 AM
A big win for privacy of this goes through, assuming that inputs aggregated this way cannot be reverse engineered (I did not read the research paper). I has always been a big fan of aggression, believing this is the way forward if we want to see scalability within the Bitcoin layer 1. And now it's finally here, albeit in alpha form.
0 Reply Quote Share
chris.altHero Member
Posts: 458 · Reputation: 2287
#7Dec 13, 2019, 09:19 AM
Very interesting stuff. Above all the implications for CoinJoins, but also for the notorious exchange consolidation transactions seem to be huge. However, it seems quite far away still. There's only a draft BIP for half-aggregation (here). I read the research paper and one of the problems is that CISA could even reduce the privacy of some other techniques like adaptor signatures. I also read this transcript of a 2024 discussion, and one of the drawbacks seems to be that full-agg still has not formally proven to be secure. The research paper from last month doesn't mention this though, perhaps this issue has been already solved. There's also the interactivity requirement for full-agg which seems like a major issue for CoinJoins, but not for consolidations and other txes made by single entities. Half-agg hasn't this problem. But for those who like to read about Layer 2's there seems to be a quite interesting and recent development: a new layer 2 idea called Shielded CSV (still didn't read the paper, may be a topic for a new thread). Lightning can also benefit from it even before a consensus change. Optech site for those wanting to delve deeper: https://bitcoinops.org/en/topics/cross-input-signature-aggregation/
2 Reply Quote Share
LuckyCoinLegendary
Posts: 832 · Reputation: 4795
#8Dec 13, 2019, 10:19 AM
The bitcoin developers mostly come from a research background and therefore will most likely not implement any blockchain-related changes unless there are studies that come out which prove it to be acceptably secure. Has half-aggregation been proven to be secure though? (I'm not going to touch any papers with a 10-foot pole at this moment. ) It could be considered some more if that's the case.
4 Reply Quote Share
chris.altHero Member
Posts: 458 · Reputation: 2287
#9Dec 13, 2019, 01:41 PM
According to the discussion from 2024 linked above, yes, it is proven secure. On the CISA research website I have found the following paragraph: See Half-agg. In a document on Blockstream Research about half-agg I found more details about this: See here. The Chalikas et al. proof is published here and the Chen / Zhao proof can be found here.
0 Reply Quote Share
nick.oracleFull Member
Posts: 111 · Reputation: 724
#10Dec 13, 2019, 03:33 PM
after i posted the slides on how a half-ag works here i would now like to present you the slides for the functionality of the full-agg in this model, interactivity is the most important and all participants must take part in this procedure in order for the signature to be completed as you can see from the last slide, the full-agg model should save a little more space and fees than the half-agg model https://twitter.com/Bitcoin_Devs
4 Reply Quote Share
LuckyCoinLegendary
Posts: 832 · Reputation: 4795
#11Dec 13, 2019, 05:43 PM
@cygan, these are nice graphics. Did you make them? These have to be placed somewhere, like on the Bitcoin Wiki for example. So anyway, this means full-agg is basically condensing the R values in addition to the S values that are already aggregated from half-agg process. It makes sense that its not interactive because when you combine the R values then you lose track of people's keys & signatures.
4 Reply Quote Share
nick.oracleFull Member
Posts: 111 · Reputation: 724
#12Dec 14, 2019, 05:21 AM
i did not create the graphics myself but obtained them (as indicated under the slides) from the following source in any case, full-agg is more complex but also saves more on fees and space
4 Reply Quote Share
sage_moonSenior Member
Posts: 273 · Reputation: 1371
#13Dec 14, 2019, 03:40 PM
Interesting, I wonder to what extent this could impact the transparency of individual transactions.
4 Reply Quote Share
chris.altHero Member
Posts: 458 · Reputation: 2287
#14Dec 14, 2019, 04:27 PM
The impact goes most likely in the other direction some may think. Because the connection between signatures and previous transactions to the participating UTXOs/addresses is not lost with this technique. The problem is that not in all types of transactions the signatures can be aggregated via CISA. Thus, as the incentives should direct people into using it to save fees, eventually there will be very few non-CISA transactions left. And these would then be special cases like atomic swaps (a decentralized technique to exchange BTC to another coin) using adaptor signatures -- which is just a technique which was invented to improve privacy. Adaptor signature atomic swaps currenty don't tell the chain analysis folks / authorities that an atomic swap has been made without additional data. But if those txes are the only non-CISA transactions, chain analysis companies could perhaps use this to isolate atomic swaps and mark them as medium/high risk. Private atomic swaps is imo a very important technique which should not be sacrificed lightly. On the other hand, as it was already posted here, you have a fee saving effect on CoinJoins, and this means that using CoinJoins will be cheaper in most cases than not using it. In theory this should also align the incentives that everybody uses CoinJoins, at least with half-agg which doesn't require interactivity. If really everybody used CoinJoins this would make Bitcoin almost as private as Monero. And that would of course be a big win - if this is the outcome, then the problem with atomic swap privacy is almost negiglible because you would simply CoinJoin the previous/following transactions anyway. The problem is that many users may still be scared of CoinJoins because they fear the coins being seized by some exchanges. And if these people are the large majority, privacy could be even lower than before CISA. Doesn't want some altcoin implement this first? Let's say LTC or Dash (as they're BTC-based and could simply use the draft BIP for half-agg)? This would perhaps show us the real life implications on privacy.
1 Reply Quote Share

Related topics