To be clear, whether "half aggregation needs a new output type or not" does not become clear in the draft BIP because it is out of scope. Half-aggregation has a few possible applications. The draft only specifies the cryptographic scheme.
The StackExchange post you link to argues that CISA requires a new output type. The same argument applies to half aggregating signatures across transaction inputs (CISHA, if you will). The only difference to "full aggregation" is that the transaction signature is a single half-aggregate signature instead of a 64-byte signature. You're right that it's possible to do batch verification of Taproot output key spends (Schnorr signatures) and script spends (key tweaks). _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
