OP_CIV - Post-Quantum Signature Aggregation

Traditional methods of signature aggregation, which are beneficial for reducing transaction sizes on blockchain platforms such as Bitcoin, face limitations with post-quantum signatures due to their reliance on elliptic curve-based techniques. A proposed solution, referred to as OP_CIV or OP_CHECKINPUTVERIFY, aims to address these challenges by enabling a transaction input to demonstrate its relationship with another input in the same transaction through a shared signature, circumventing the need for an additional signature. This mechanism involves a script that contains specific parameters including input and output indexes, transaction ID, and nonce, ensuring transaction integrity while also enhancing privacy protection against possible analytical attacks aimed at identifying ownership of multiple unspent transaction outputs (UTXOs).

The implementation of this concept presents several challenges, especially in scenarios where wallets generate numerous addresses without direct links between UTXOs, requiring multiple signatures. Moreover, deterministic wallets face complications in key recovery due to the exponential increase in possible combinations when addresses are created pointing to all existing UTXOs within a wallet. Various strategies, such as limiting the number of OP_CIV scripts or incorporating scripts for already spent transactions, have been suggested to facilitate recovery processes. The design inherently reduces the risk of replay attacks and does not necessitate address reuse, employing SIGHASH_ALL for signing inputs to further prevent unauthorized transaction modifications.

Beyond its primary aim of reducing transaction sizes for post-quantum signatures, OP_CIV may find applications in smart contracts and other areas requiring secure, efficient linkage between transaction inputs. Despite being in the conceptual stage, this approach holds promise for enhancing the adaptability of blockchain technology to post-quantum cryptographic standards. The idea was introduced by Tadge during a presentation at TABConf, with the intent of gathering community feedback and improvements. The talk is available at TABConf, offering insights into the practical applications and benefits of OP_CIV.

Further discussions highlight practical challenges and potential privacy concerns associated with committing each script pubkey to previous outputs in a transaction, particularly for deterministic backup wallets widely used today. An alternative perspective focuses on the aggregation of inputs controlled by the same owner, proposing a method that demonstrates common ownership and authorization of UTXOs under the same pubkey with a single signature. This method suggests committing a taptree to a deterministic set of pubkeys to enable stateless address generation and streamline signature processes, albeit at the cost of potentially impacting UTXO privacy due to stronger common-owner heuristics provable on-chain.

An interesting development comes from Boris, who proposes a simple indexing trick to extend the stateless approach, involving a sliding window of taproot leaves for a sequence of shared keys derived from a seed. This allows for deterministic rule application and simplifies backup processes, possibly maintaining effective signature aggregation across older UTXOs without necessitating stateful information. The conversation reflects a collective effort to refine Bitcoin transaction methodologies, weighing technical intricacies against strategic advantages in pursuit of fee savings and enhanced security measures in a post-quantum cryptographic landscape.