The Future of Bitcoin Privacy: Cross-Input Signature Aggregation. Bitcoin Tech Talk Issue #216

Privacy is something everyone talks about but few people actually take time to do properly. This is as true in life as it is in Bitcoin. Coinjoins are not a great user experience right now. Not only are the anonymity sets small, but the process itself takes a long time and costs money, which motivates people to not do it. Not enough people custody their own coins, and even fewer have the technical knowledge to actually coinjoin in one of the many protocols.

The problem, like with most privacy tech, is that it costs a non-negligible amount of time and money. This can be a problem in an increasingly authoritarian world that demands permission to do even the most basic things. Many places transmitting or handling money must comply with AML/KYC laws, which are a giant tax on these companies. CoinJoin isn’t quite that bad, but it’s still not easy and most people simply don’t bother with it.

Cross-input signature aggregation changes the equation. Currently multiple inputs require multiple signatures. Cross-input signature aggregation is combining these multiple signatures with Schnorr, or combined into a single signature. This may not sound like much at first, but think about what this means. Signatures are the biggest parts of a transaction, so reducing signatures means that the transaction becomes smaller. Not only do smaller transactions mean more transactions per block, but also mean less fees per transaction. A transaction with only 1 input will cost the same, a transaction with 2 inputs will get a significant savings, a transaction with more inputs gets even more savings on a per-input basis.

Practically speaking, this means that if there Alice wants to pay Bob and Carol wants to pay Dave, Alice and Carol can combine their respective transactions and pay less fees in total. This is somewhat true today by what’s called batching, but cross-input signature aggregation takes this to another level. Even if there are hundreds of inputs, only 1 signature is required, so the transactions get cheaper on a per-input basis the more inputs there are.

Now this is not possible until Segwit v2 at least, which would be the softfork after Taproot, but it’s a huge development. It makes coinjoin economically rational! Instead of paying for the privilege of better privacy, you would be saving money to get better privacy. This will be particularly true of exchanges, where a lot of these transactions take place. They will want to coinjoin exiting customer transactions with lots of other transactions to save money and the side-effect will be more privacy for the rest of that transaction!

In any case, there’s a lot of buzz around requiring more KYC, but this is one possible response at the protocol level that we might be coming towards.

Bitcoin

Brink is a new Bitcoin development funding organization led by John Newbery and Mike Schmidt. This is a different organization than Square and Chaincode which fund their own core developers. They instead give grants collected from various organizations like Kraken, HRF and Gemini to fund developers based on the evaluation of the coders’ potential. This is a new model and hopefully will provide an umbrella organization for devs that want to contribute to Core full-time and take care of the financial details of funding on the developers’ behalf.

There’s a pdf going around about Taproot’s supposed privacy deficiencies. The main argument is that this is going to be a new address type (specifically, Segwit v1, which will begin with a different prefix than Segwit v0) which will cause the anonymity sets at the beginning to be small. This is true, but that’s a very short-term way of looking at it. In the long run, when there are a lot more people using Segwit v1, Taproot will provide way more privacy. As stated above, similar things will probably be said about the features being discussed about Segwit v2, which may include cross-input signature aggregation.

ColdCard’s isolation bypass vulnerability has finally been disclosed. The vulnerability is related to the fact that the transactions being signed have no network information embedded within it. This is something I really wish would get addressed more soundly, as other coins pretty much copy Bitcoin’s signing algorithm and thus allow an attack vector in this regard. PSBT, for example, should include a network identifier to add additional checks on signatures.

Dmitri Petukhov has released a formal specification for miniscript. This is a great step to formal analysis of various scripts that can be written in miniscript. Miniscript is still very early, but wallets will be creating miniscript outputs in the future for more complicated unlocking conditions. These require more formal proofs of correctness and a specification, specifically in Alloy, will be a help in that direction.

Economics, Engineering, Etc.

James O’Beirne has published a letter to his friends and family making the case for Bitcoin. If you’re thinking about sending one of these, this is how you make an argument. The reason most people get interested is becauseit’s a great investment and has been for many years. The sound money stuff can come later.

Speaking of talking to friends and family, Dan Held has a taxonomy of altcoins and their marketing pitches. This is a good list of rebuttals to keep around given the crazy runups in altcoins the last few weeks. As usual, the influx of newbies brings back the same trollish concerns about Bitcoin and this is an article that will help in setting your altcoiner friends straight.

Croesus has an entertaining read on comparing Bitcoin with the American Frontier. This is a topic near and dear to my heart and one of the reasons why I wear my cowboy hat. We can expect the adoption of Bitcoin to be a lot like the conquering of the American frontier. There’s a lot of opportunity here, but also a lot of danger. Thankfully, civilization expands this way and this expansion into the metaphysical realm of Bitcoin couldn’t come at a better time.

Bitcoin Reserve has a post-mortem of sorts about DeFi. Much like ICOs of 2016-2018 and altcoins of 2013-2015, there are a ton of scams and a ton of lost value. The space suffers significantly from survivorship bias and the people that lose money don’t tend to stick around. As the article speculates, there’s likely to be a boom in Bitcoin as a lot of the disaffected DeFi people move to Bitcoin.

Bitcoin Maximalist has a good answer to the oft-asked question, “Is Bitcoin anonymous?” The answer is the unsatisfying “it’s actually pseudonymous” which this article explains with good analogies. As new people come in and ask about Bitcoin’s link to darknet markets and ransomware, this is a good answer to have on hand.

Sylvain Saurel shows you why trading Bitcoin on PayPal is probably not a good idea. PayPal’s lawyers are very influential and demand strict compliance, so they're fairly quick to the trigger on restricting or deleting accounts. Remember that PayPal put Bitcoin on the map in 2010 when they suspended the WikiLeaks PayPal account. As such, this is not a good match and probably an internal culture clash. Bitcoin tends to be libertarian and they do not like the kinds of restrictions PayPal is likely to place. Should anyone ask about using PayPal, send them to to a more trading-friendly service instead like lvl.co.

Looks like Facebook will launch some version of Libra in a couple of months. This is not unexpected as David Marcus (he, formerly of PayPal) is still there. It will be pegged to the dollar and it’s an interesting question whether this will replace Tether as the go-to stablecoin of choice for non-US residents who have trouble getting dollars or have to get them at a significant premium. Facebook, of course, has incredibly distribution and I think this has the potential to be way more influential than, say, WeChat.

Podcasts

My podcast this week was with senator-elect Cynthia Lummis. We talked about politics, why so much money has been pouring into it, the creepy use of analytics and of course, Bitcoin. I’ll be dropping a new podcast with Dr. Jason Fung on fasting this coming week.

I did the Bitcoin Matrix podcast on Thanksgiving and talked about COVID and Bitcoin with a bunch of other Bitcoiners.

Finally, I did Tone’s show where we talked about ETH’s Proof-of-stake transition, PlusToken and much more.

If you’re thankful, my books are a way to show your gratitude.

Fiat delenda est.