Interesting; I'm curious why you see value in specifically making some kind of commitment, in case of already-exposed P2PK outputs. In our imagined example, if Satoshi is going to make a commitment, thus actively doing something on the network, why not just spend the P2PK into a new hash-covered output instead (to a p2pkh now or a QR output if it exists)? This has the advantage of not requiring messy new protocol rules, until later.
But one detail in your scheme: let's say we have a Satoshi output in P2PK U1 with pubkey P1. Satoshi can publish a merkle tree or similar with a tx TX1 that spends U1. Let's say, today. I think it's necessary to tease out what stops an attacker from doing the same with TX2 spending from U1, yesterday. If the attacker does *not yet* have a quantum ECDLP break, then we have defence from the transaction being signed (as long as we don't use txid as defined in bitcoin, as the hash - which doesn't include the witness! That could be an oops). The attacker can create TX2, but not sign it. Of course if the attacker *already* has the ECDLP break, then why wouldn't he just steal U1 right now, so *maybe* that's OK. But this is all extremely tricky.
waxwing /
npub1va…knuu7
2025-06-03 12:03:09
in reply to nevent1q…72a3
Author Public Key
npub1vadcfln4ugt2h9ruwsuwu5vu5am4xaka7pw6m7axy79aqyhp6u5q9knuu7Published at
2025-06-03 12:03:09Event JSON
{
"id": "d5f2c4b90daa53daa00db8995e09f0ace33f0fbb23a2dbc9d272893f9ece64b2",
"pubkey": "675b84fe75e216ab947c7438ee519ca7775376ddf05dadfba6278bd012e1d728",
"created_at": 1748952189,
"kind": 1,
"tags": [
[
"e",
"e2b7dfd153b46225e52ed57b93c360051d69e5c3e5d6ca7215a32e98d5690156",
"",
"root"
],
[
"e",
"a6ef3d06ffb49f81c7ba5ccee3b33f383a3f12d285c3bf021d7c17c4811b618f"
],
[
"e",
"9e24715b09b616cdabab066f55b8a33ba7204ee32dad0d2980969781a245a3c1",
"",
"reply"
],
[
"p",
"675b84fe75e216ab947c7438ee519ca7775376ddf05dadfba6278bd012e1d728"
],
[
"p",
"46fcbe3065eaf1ae7811465924e48923363ff3f526bd6f73d7c184b16bd8ce4d"
]
],
"content": "Interesting; I'm curious why you see value in specifically making some kind of commitment, in case of already-exposed P2PK outputs. In our imagined example, if Satoshi is going to make a commitment, thus actively doing something on the network, why not just spend the P2PK into a new hash-covered output instead (to a p2pkh now or a QR output if it exists)? This has the advantage of not requiring messy new protocol rules, until later.\n\nBut one detail in your scheme: let's say we have a Satoshi output in P2PK U1 with pubkey P1. Satoshi can publish a merkle tree or similar with a tx TX1 that spends U1. Let's say, today. I think it's necessary to tease out what stops an attacker from doing the same with TX2 spending from U1, yesterday. If the attacker does *not yet* have a quantum ECDLP break, then we have defence from the transaction being signed (as long as we don't use txid as defined in bitcoin, as the hash - which doesn't include the witness! That could be an oops). The attacker can create TX2, but not sign it. Of course if the attacker *already* has the ECDLP break, then why wouldn't he just steal U1 right now, so *maybe* that's OK. But this is all extremely tricky.\n\n",
"sig": "cf4009cd81dcb3d958e06f33bcd8234645ac90ffe54abc75e0f560dc2d9eaa471393fe3825014020f75a97fda37b5426663c11e4ba87ccefbd2db3e395c7194a"
}