Seeking feedback on a simple secret-reveal scheme for a quantum-secure vault. There may be some missing details, but in general, this shows that covenant-protected vaults, with appropriate depth-locks are quantum-resistant. The whole idea involves a two-phase reveal: you must clear one tx to pin the destination and then you can inspect what's been mined, and then, based on that inspection, submit an escape or a final reveal. It uses linear-state as a more flawless quantum security and doesn't require new signature schemes or cryptography-libraries.

Assumptions:

OP_CHECKTEMPLATEVERIFY (OP_CTV) is available per BIP119.
OP_TXHASH / OP_CHECKTXHASHVERIFY is available per the current draft proposal, allowing scripts to hash and verify selected fields of the spending transaction
Relative timelocks exist (BIP68 / BIP112).
SHA256 preimage resistance holds, even if ECDSA/Schnorr signatures become forgeable.

Threat model:

An attacker may:

Forge signatures.
Intercept, delay, reorder, or fee-bump transactions.
Front-run in the mempool.
Exploit shallow reorgs.

An attacker may not:

Break SHA256 preimage resistance.
Violate miner-enforced OP_CTV semantics.
Violate miner-enforced OP_TXHASH semantics.
Violate relative timelock rules.
Rewrite deep chain history.

High-level idea:

This construction creates a multi-phase envelope that separates:

who can trigger execution from
where value is allowed to go.

Even if signatures are forgeable, funds can only move into a protected Anchor envelope, and from there only along template-bound paths.

Phase 0 funnels all value into a predetermined Anchor envelope (that commits to a secret-reveal scheme, but no destination, using TXHASH)
Phase 1 instantiates that envelope on-chain (attacker could do this... but why?)
Phase 2 either:
- reveals a one-time secret to complete a template-bound spend (because spender sees their good TX was mined), or
- uses an escape hatch without revealing the secret (because spender sees a bad TX was mined)

Phase 0 locking policy:

The Phase 0 UTXO enforces the following:

Anchor pinning: Any spend MUST create exactly one value-bearing output whose scriptPubKey equals P_anchor.
No value leakage: No other value-bearing outputs are permitted. Transaction fees are paid by reducing the Anchor output amount.
Fee bound: The Phase 0 script MUST enforce a bound on fee extraction, e.g.:

These conditions are enforced using OP_TXHASH, selecting and verifying:

the number of outputs,
the scriptPubKey of the Anchor output,
and sufficient value information to enforce the fee bound.

Phase 1: AnchorPublishTx

Properties:

Spends the Phase 0 UTXO.
Creates exactly one output: the Anchor UTXO, locked to P_anchor.

The Anchor envelope is now instantiated on-chain. An attacker may have triggered this spend... that's ok.

Anchor UTXO locking script shape

A Taproot script tree with two spending paths.

Path 1: Reveal spend (normal)

Conditions:

Relative depth gate The Anchor UTXO must have aged by at least k blocks (CSV).
Reveal check SHA256(x) == C.
Template enforcement The spending transaction MUST match template T via OP_CTV.

Path 2: Escape hatch

Conditions:

Template enforcement The spending transaction MUST match template E via OP_CTV.
No secret revealed The value x is not disclosed on this path.

The escape path may be immediately available or time-delayed

Phase 2: SpendAnchorTx

Reveal path witness: x plus any required non-cryptographic data.
Escape path witness: no x.

Security properties

Quantum signature safety Forged signatures do not enable theft. All value is confined to the Anchor envelope before any secret is revealed.
No redirect-after-reveal Once x is revealed, OP_CTV pins the outputs.
Observation is sufficient If an attacker publishes Phase 0 or Phase 1 spends, the Anchor script still contains a usable escape hatch.
Reorg resistance The relative timelock k mitigates shallow reorg games
Graceful degradation A quantum attacker can force execution or cause delay or fee grief , but cannot steal value.

Some more information and discussion is on delving bitcoin:

https://delvingbitcoin.org/t/a-quantum-resistance-script-only-using-op-ctv-op-txhash-and-no-new-signatures/2168/5