The bitcoin stack can be at most 1000 elements, which poses a significant limitation on our ability to move data into the script. Using binary Lamport signatures would limit us to at most 1000 bits of data which is too small to do much useful work. Using Winternitz (or even Lamport signatures with a larger base) lets us move more data into the script.

To do one round of the Miller loop we need at least 2 Fq12 elements, 1 E/Fq, and 2 E/Fq2 elements which is 30 Fq elements. This takes 30 * 254 = 7620 elements which means we probably need to use at least base 8.

Need to figure out, depending on how expensive the scripts are, what is the optimal trade off between base size for the signatures and script size. Increasing script size necessitates a large base (exponential in the script length) but uses fewer rounds (linear in script length).