OP_CAT Enables Winternitz Signatures

The email discusses various techniques and improvements in the realm of cryptographic signatures, particularly focusing on their application within Bitcoin's infrastructure. One suggested method for achieving further reductions in signature size is the "Target Sum Winternitz" scheme. This scheme involves a process where the signer hashes their message with some randomness, divides this hash into chunks, and checks if the sum of these chunks matches a predetermined checksum. This process may continue with different randomness until the desired checksum outcome is achieved. However, it's noted that this method introduces additional complexity into the signing process.

Furthermore, recent research promises a significant improvement in the verification cost of signatures, estimating a reduction of 20% to 40%. Despite this potential advancement, the author raises concerns about the practical benefits, considering the possible increase in Bitcoin Script size might negate the theoretical savings in verification costs.

The author then compares their own construction with another, highlighting two main advantages: notably smaller witness sizes (8kb versus 24kb) and the implementation basis on W-OTS+ instead of W-OTS. The key distinction between W-OTS and W-OTS+ lies in the reliance of W-OTS+ on the preimage resistance property of hash functions, rather than collision resistance. This detail is significant because Bitcoin's security model already assumes the collision resistance of SHA256. The author argues that despite the apparent sufficiency of relying on collision resistance, adopting a Winternitz variant that also relies on this property could offer advantages, particularly in reducing the blockchain footprint.

Additionally, the email references the standardization of W-OTS+ as part of XMSS and mentions a subsequent secure variant. It concludes with a suggestion to explore an implementation based on a Winternitz variant that emphasizes collision resistance for potentially improved performance in blockchain applications. This discussion is part of a broader conversation within the "Bitcoin Development Mailing List," aiming to explore and implement advancements in Bitcoin's cryptographic mechanisms.