>>  You'd still need  BIP 360 P2MR (or P2TRD) since OP_TXHASH needs tapscript
>  false, covenant based multistep secret-reveal spending paths don't rely on signatures at all

P2TR has a public key baked into it via the key spend path. This key path spend bypasses any covenant or script constraints. The attacker does not need to see a value spend to break the key path spend. This means a quantum attacker can break the nums point in key spend path of the initial output and the AnchorPublishTx output and then just taking all the coins [0].

>  agreed. they have to spend resources to attack your private key and the only thing they can do is "grief" using a timing attack with the results, rather than steal outright.  a massive incentive difference.  

Ok, so a core assumption you are making here is that a CRQC isn't powerful enough for recovering signing keys to be effectively free. This is likely to be true at the early stages of CRQC, but this assumption may not hold forever. If ECC is mathematically broken via a classical attack this assumption might not hold at all. I'm attempting to address both quantum and classical breaks.

>  TX_HASH is simple and generally useful and there is no guarantee that q-day will even come

TX_HASH is great!

[0]: As originally noted here: https://delvingbitcoin.org/t/a-quantum-resistance-script-only-using-op-ctv-op-txhash-and-no-new-signatures/2168/4

On Tue, Feb 10, 2026 at 7:19 PM Erik Aronesty <erik@q32.com> wrote:


You'd still need  BIP 360 P2MR (or P2TRD) since OP_TXHASH needs tapscript, and the only available tapscript supporting output type, P2TR, isn't quantum safe.

false, covenant based multistep secret-reveal spending paths don't rely on signatures at all
 

I'm going to assume:
- you mean to use this commit-reveal for migrating between signature algorithms, not for everyday use,

it can be used if "q day" happens.  otherwise ignored.
 
- TXHASH is being used because you are waiting for the commitment to be confirmed on-chain rather than lifeboat's out-of-band commitment system

it's used so you can commit to a spending constraint without committing to the final "as yet to be determined" quantum-safe destination:  https://delvingbitcoin.org/t/a-quantum-resistance-script-only-using-op-ctv-op-txhash-and-no-new-signatures/2168
 
 
Once you post your commit-txn, but before it confirms, other parties can post competing commit-txns that double spend your output. If one of malicious transactions confirm, you must now wait for a timelock to expire and then try to post your transaction.

agreed. they have to spend resources to attack your private key and the only thing they can do is "grief" using a timing attack with the results, rather than steal outright.  a massive incentive difference.  
 
They can block you again. Each time they burn some of you coins in fees. Miners get the fees, so they might be incentivized to do this. Thus, we must trust miners not to do this. Lifeboat doesn't have this issue since it uses out-of-band commitments, but out-of-band commitments have their own issues.

each time you use the reset-path, they have to re-attack a new key.  very expensive just to grief a small amount of fees spread across all miners.   sounds like science-fiction levels of compute.  
 

plus.... TX_HASH is simple and generally useful and there is no guarantee that q-day will even come

--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAEM%3Dy%2BUKMTfAi_PT04Bpr%2BvjB3CwLck0etwvaM8nzWazqf-1ig%40mail.gmail.com.