On Mon, Mar 7, 2022 at 7:06 PM ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:

But cross-input signature aggregation is a nice-to-have we want for Bitcoin, and, to me, cross-input sigagg is not much different from cross-input puzzle/solution compression.

Cross-input signature aggregation has a lot of headaches unless you're using BLS signatures, in which case you always aggregate everything all the time because it can be done after the fact noninteractively. In that case it makes sense to have a special aggregated signature which always comes with a transaction or block. But it might be a bit much to bundle both lisp and BLS support into one big glop.

 

For example you might have multiple HTLCs, with mostly the same code except for details like who the acceptor and offerrer are, exact hash, and timelock, and you could claim multiple HTLCs in a single tx and feed the details separately but the code for the HTLC is common to all of the HTLCs.
You do not even need to come from the same protocol if multiple protocols use the same code for implementing HTLC.

HTLCs, at least in Chia, have embarrassingly little code in them. Like, so little that there's almost nothing to compress.
 
This does not apply to current Bitcoin since we no longer accept a SCRIPT from the spender, we now have a witness stack.

My mental model of Bitcoin is to pretend that segwit was always there and the separation of different sections of data is a semantic quibble.
 
So this seems to be more like "do not write broken SCRIPTs"?

In general if people footgun that's their own fault. The resistance to covenants and capabilities in the past has largely been around what would happen if you had opt-out covenants which acted as riders and could monkey around in later spends which were none of their business. But if they're fully baked into the scriptpubkey then they're opted into by the recipient and there aren't any weird surprises.