On Thu, 2018-02-15 at 23:44 +0100, Natanael wrote: > If your argument is that we publish the full transaction minus the > public key and signatures, just committing to it, and then revealing > that later (which means an attacker can't modify the transaction in > advance in a way that produces a valid transaction);
Almost. Actually we reveal the entire transaction later. > > [...] while *NOT* allowing expiration makes it a trivial DoS target. > > Anybody can flood the miners with invalid transaction commitments. No > miner can ever prune invalid commitments until a valid transaction is > finalized which conflicts with the invalid commitments. You can't > even rate limit it safely. Yes, that's certainly true. I mentioned that issue already. You can rate limit this: The only thing I see is that one can require transaction fees even for commitments. That's super annoying, because you need a second (PQ-)UTXO just to commit. But it's not impossible. You can call this impractical and this may well be true. But what will be most practical in the future depends on many parameters that are totally unclear at the moment, e.g., the efficiency of zero-knowledge proof systems. Who knows? If you would like to use zero-knowledge proofs to recover an UTXO with an P2PKH address, you need to prove in zero-knowledge that you know some secret key x such that H(g^x)=addr. That seems plausible. But P2PKH is by far the simplest example. For arbitrary scripts, this can become pretty complex and nasty, even if our proof systems and machines are fast enough. _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
