(I addressed your comments before I had seen your second message,
I will reply to it separately)

Hi waxwing,

Thanks a lot for taking a look!

I have pushed a new commit addressing your comments to the branch:
https://github.com/fjahr/bips/pull/4/commits/fe13eb6bda6e40bb47207dff9a74ddfdf305ebe5

> Perhaps add a footnote warning, as per the paper, that these 2 checks
> are *not* equivalent to checking that the tuple (pubkey, message, R_2)
> is unique.

Sounds good to me. I have added such a footnote and point to the
section 4.2 of the paper for the attack explicitly.

> putting that "tripwire" in the test vectors seems very advisable,
> though (I admit my check of your generated test vectors was not
> thorough but I think it's not there yet?)

Right, these cases were not covered yet. I have added more test vectors
for Sign that should exercise the checks that were not covered yet.

> it seems a little strange to have a BIP that specifies the algo but
> not the consensus change at all? ... I guess this is mirroring BIP340
> vs BIP341?

Exactly, the split is intentional and mirrors BIP 340. Full-aggregation
(just like half-aggregation) is useful independently of how CISA could be
deployed and there are potentially several possible designs for the
consensus side that may be considered side by side. So I would like to
leave that to a separate proposal which I plan to publish soon as
well. But I have added a bit more to the motivation section to
make this more clear.

> I think the tendency to assume that this incentivization is real is a
> *little* misleading

I guess that's a fair point. I have reworded the sentence slightly to
say that full-aggregation can reduce the cost of privacy rather than
it creates an incentive for it. I hope you agree that's fair then.

> What I think would really be worth avoiding is : there's a folklore
> optimization for coding the use of DahLIAS in a single wallet that is
> not properly analyzed by the people here who know what they're talking
> about

Right, since there is no full analysis of this yet, the BIP cannot specify it as
an optimization. To avoid the folklore scenario I have added a
note to the rationale section that states that a single party
can simply run the protocol locally. I am referencing Jonas' message
from the ML and add that it would need additional security analysis. If
someone works on an analysis, I would be happy to incorporate it.

Best,
Fabian
On Tuesday, July 7th, 2026 at 9:49 PM, waxwing/ AdamISZ <ekaggata@gmail.com> wrote:
Hi Fabian,

Great! Thanks for the progress on this.

Can I suggest one addition: in the Sign algo, you have "Index lookup and uniqueness check: Find the unique index j in 0..u-1 such that pubnoncej[33:66] = cbytes(R2). Fail if no such index exists or if more than one such index exists." (and then the pubkey and message check after). Perhaps add a footnote warning, as per the paper, that these 2 checks are *not* equivalent to checking that the tuple (pubkey, message, R_2) is unique. I mean it's not technically needed but seems like a very good idea, since as per the paper there is an attack there, and it would not be an unanticipatable implementation footgun.

You have the checks in the reference.py implementation, obviously; but putting that "tripwire" in the test vectors seems very advisable, though (I admit my check of your generated test vectors was not thorough but I think it's not there yet?)

Second point goes from the ultra-specific to the ultra-general: I'm probably being dumb here, but it seems a little strange to have a BIP that specifies the algo but not the consensus change at all? Hmm, as I write this ... I guess this is mirroring BIP340 vs BIP341? That the former just formalizes the exact algo of the signature scheme and a later BIP specifies the latter? It is a bit different though; taproot was a whole new scripting scheme, this will just (I guess?) have basically a new OP_CODE (or rather, redefinition) or similar?

About motivation:

> CISA with full-aggregation can even create an economic incentive for privacy since using CoinJoin and PayJoin transactions can become cheaper than sending individual transactions.

It's a can of worms, since there are so many nuances, but I think the tendency to assume that this incentivization is real is a *little* misleading: CISA does *not* incentivize batching payments in a way that creates privacy; it only incentivizes consolidation and batching (amongst many spenders as well as for one spender). What is undeniable is that *if* you're doing a coinjoin of some flavor, you are incentivized to switch to CISA. Anyway, don't take this as a big criticism particularly, because *whatever* you write here will be arguable. My personal intuition is that CISA *does* aid privacy but more via second and third order effects than via first order. But, meh, not simple :)

I'd also like to repeat a request on the earlier discussion on this mailing list [1] on this topic:

(Quoting Jonas' answer to me here: )
>> The side note also raises this point: would it be a good idea to explicitly
>> write down ways in which the usage of the scheme/structure can, and cannot,
>> be optimised for the single-party case?
>
>This is a very interesting point, probably out of scope for the paper. A
>single-party signer, given secret keys xi, ..., xn for public keys X1, ..., Xn
>can draw r at random, compute R := r*G and then set s := r + c1*x1 + ... +
>cn*xn. So this would only require a single group multiplication.

.. but, I relegate this to a "comment" here, because I don't know if there is a written down "optimization for single signer" apart from what Jonas said there. If it doesn't exist, you can't put it in the BIP :) What I think would really be worth avoiding is : there's a folklore optimization for coding the use of DahLIAS in a single wallet that is not properly analyzed by the people here who know what they're talking about -- because, "minefield" etc etc.

Cheers,
waxwing/AdamISZ

[1] https://groups.google.com/g/bitcoindev/c/eothFkxAvK0/m/gfGZ8NxXEQAJ and surrounding conversation
On Monday, July 6, 2026 at 2:10:57 PM UTC-3 Fabian wrote:
Hi list,

I would like to share a BIP draft for full-aggregation of BIP 340
signatures, a standard for the DahLIAS interactive aggregate signature
scheme by Jonas Nick, Tim Ruffing, and Yannick Seurin:

Full-aggregation allows a group of signers to produce a single 64-byte
signature for a list of public key and message pairs in a two-round
signing protocol very similar to MuSig2/BIP327. The primary application
in Bitcoin would be CISA (cross-input signature aggregation).

The BIP draft text can be found here:

For inline comments, I have opened a mock pull request on my BIPs repo fork:

Feedback of any kind is much appreciated.

Best,
Fabian

--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/2d582d3b-46b1-4ba4-b7fc-b223e9e26f88n%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/aWoAH3lQNC7QB9mtzNmgfyQObhMjux-Xm73KO4KD75filNkLZcDgeH6lnXI-6uyhGC7iR0OQCbUrEuUjQXxp7QuIOaEWMHaXGWvAOSpqX-Y%3D%40protonmail.com.