On 2024-12-15 11:42, Matt Corallo wrote:
wallets simply need to construct their taproot outputs to always
contain a script-path alternative spending condition.
If wallets simply construct their regular or alternative spending
conditions with a QC-secure commitment to a secret preimage, they can
use the variation of Guy Fawkes signatures described by Tim Ruffing in
the original 2018 thread about taproot[1] and expanded by him about a
month later.[2] E.g., as a backup to your keypath spend, you include a
scriptpath that is: <key> OP_CHECKSIGVERIFY OP_HASH256 <digest>
OP_CHECKEQUAL.
This has the disadvantages of requiring a fork[3] in case QCs become a
reality and delaying the spend of any taproot output after the QC crisis
by 100 blocks or more---but the advantage of not requiring any
specification work or consensus changes now (saving lazy people like me
from having to learn anything about post-quantum cryptosystems).
-Dave
[1]
https://gnusha.org/pi/bitcoindev/[email protected]/
[2]
https://gnusha.org/pi/bitcoindev/[email protected]/
[3] Ruffing describes it as a hard fork, but it sounds to me like a soft
fork. It would break pruned nodes that upgraded after the soft fork
activated, though, requiring them to re-download and re-scan all blocks
since the activation.
--
You received this message because you are subscribed to the Google Groups "Bitcoin
Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/bitcoindev/0cc71aac9218942a1674fa25990c37a1%40dtrt.org.
