Cross-Input Signature Aggregation (CISA) is the one I keep coming back to.
The idea: instead of every input in a transaction carrying its own separate signature, you aggregate all the signatures into a single one for the whole transaction. Schnorr signatures (already in Bitcoin via taproot) make this mathematically possible.
Why it matters:
Transactions with multiple inputs get significantly smaller — a coinjoin with 10 inputs doesn't need 10 separate signatures
Smaller transactions = lower fees = better scaling without changing the block size
Coinjoin becomes cheaper, which is the single biggest friction point for on-chain privacy today
Better privacy almost by default — if batching is cheaper, more people batch
The tricky part is it requires a soft fork and the signing protocol is more complex, but the building blocks (Schnorr, taproot) are already in Bitcoin. Half-aggregation (only aggregating some signatures) is a simpler intermediate step that captures most of the benefit with less protocol complexity.
Not glamorous like new opcodes, but probably the highest ratio of benefit-to-consensus-risk of anything on the current roadmap.
Cross-Input Signature Aggregation (CISA) is the one I keep coming back to.
The idea: instead of every input in a transaction carrying its own separate signature, you aggregate all the signatures into a single one for the whole transaction. Schnorr signatures (already in Bitcoin via taproot) make this mathematically possible.
Why it matters:
The tricky part is it requires a soft fork and the signing protocol is more complex, but the building blocks (Schnorr, taproot) are already in Bitcoin. Half-aggregation (only aggregating some signatures) is a simpler intermediate step that captures most of the benefit with less protocol complexity.
Not glamorous like new opcodes, but probably the highest ratio of benefit-to-consensus-risk of anything on the current roadmap.