From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 02 Feb 2026 15:37:13 -0800 Received: from mail-qk1-f190.google.com ([209.85.222.190]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1vn3Tl-0006oQ-26 for bitcoindev@gnusha.org; Mon, 02 Feb 2026 15:37:13 -0800 Received: by mail-qk1-f190.google.com with SMTP id af79cd13be357-8c52f89b415sf1410831485a.0 for ; Mon, 02 Feb 2026 15:37:12 -0800 (PST) ARC-Seal: i=3; a=rsa-sha256; t=1770075427; cv=pass; d=google.com; s=arc-20240605; b=Y5Rffn8kgiNg1HfCK1C5aBfjG3znslEhwhFhsXXajlb5qG6Crjq0AokAaB5P+Rgf7N kz/QsQaNiTATL9bxBFKGg/h03YTbTQU5O5VzUT4Ebh2+HBmw6TtLtPE5Lxo1F8Ukfoql 0sly1KVWJQ9FAVm/SK0cUhBMWRL0P+iYZWX6iD3RT81goOIQUEg8xcyvqC6U+JqKe62C c/idmSqIhGay6d/Tudvup37K5WvoclAyIxq63cohYW87rAdhGtlZLPYICpbRAehHRsDL t/4p1zf+gBuPtaNl+qi0gSX9o48Hp1gl9wphTFUHvDXPF1v2Uehw9vtlj4/L6S5mzLqM YMww== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:to:subject:message-id:date:from :mime-version:sender:dkim-signature; bh=S/500vhM9g9G+tTNJSoORqnKxFn41+ZdR7FZtwId7ug=; fh=aj/6/PxGBlMrIxtrNA5pQ15u7pgkTGBw4sz3e3xZErY=; b=XMqsX/uwP/aX+zSduMxcrncteTnEfq/BHyh0Xv2CfOwb6cAGx25D3FPeG6xg5SjPrL I/p3WsONHTjj+XTAkbwezYTKGGQLEs7bJD++qnXU8ie/nMY3sIVrxsnd0XP+CkbEeJZ6 5zXpr+TUI/HRxVZecbIz4kkAs7I/wSpxA0i+G0IQw//3mEIClo4Ya1CajgkfdLs/cYMi b5Qy7waFRn+THYeslXi7AGgbwyzZac5TS7xOs9jOjS8mcUXevA/xpJCfglAZKOhKWM7A W1xpKZsv+M+tMJopuv0o95Dn3voi6Nv07lpdXmw1L4pklj00xOGeAmSvx/+bTgi4Awep GYqA==; darn=gnusha.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@q32-com.20230601.gappssmtp.com header.s=20230601 header.b=s8A0CD68; arc=pass (i=1); spf=pass (google.com: domain of earonesty@gmail.com designates 2a00:1450:4864:20::62a as permitted sender) smtp.mailfrom=earonesty@gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1770075426; x=1770680226; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:to:subject:message-id:date:from:mime-version :sender:from:to:cc:subject:date:message-id:reply-to; bh=S/500vhM9g9G+tTNJSoORqnKxFn41+ZdR7FZtwId7ug=; b=fTCkUzEdWHLYoee6F3jnmBMgUnWiraOpN4LOKiC4e2IvZnKLhQoAFAghL3RYpz4Fkr C5Oi1BjPGDJ/r+ZAThjT9rQD2cSR/d9XjKLyXb/iEXRem/iP56OcUEAOi/ywxlFLGY1a KeBAYmTSbCzRC4n/nlHAuUjXn0IMgEczrWqRHx3WqwoygsxZZ4UF7H8inaLfi+/GpZay Z7J8SYxXkF9tgYDVPQqu0L342jEngkvJJ+9VH9rUdbx2VebEJV6lqAhMeysUn6pqO516 J42c9NBlLXLXJwUObtM2LULCAICvXPlKk6cNCW9YZzFYFPGkgj4FWHWDjA72rTz2ccCG 9dAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770075426; x=1770680226; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:to:subject:message-id:date:from:mime-version :x-gm-gg:x-beenthere:x-gm-message-state:sender:from:to:cc:subject :date:message-id:reply-to; bh=S/500vhM9g9G+tTNJSoORqnKxFn41+ZdR7FZtwId7ug=; b=JJhsUYm/YjcZUexqBSfpbiTTvH0qL/GO5vF5uc4JMIeBJ7sA8INd3GBFR9bgjlPOZJ FRuN7fGbxy07okQjptzdlnwAb7Njp7sTLKwzvXROtH0TNiVaA2smaoazkeHXwvEjN9qh IoyD/x323KWy2PVQ8oEeHq7wLV/VlMWsjSmqk9SZFkNlSUrXisWbPXNC9UCBweGX3v2P Wv9kTDIk7Bf50g539UY4XM4XJDjF3ASLWJAVVJ5NDHDS27RtDzGi6By91969T1BjMWZL 94Jo8nf4JAYIbqcoHRic+h7hCfmCiQU4j6yee/UR+0gz9w8dy3ogj/wMS5wnnChHUrpQ /7Fg== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=3; AJvYcCULG+uBal14fOm9bXYzBsh6xUEHDipsL2Txa9njUHRau8pv92DJHiAKhJWuTrUTTYLYEk7oB2z+TZ5l@gnusha.org X-Gm-Message-State: AOJu0Yxo6Jl7vddfm9kLxopNqwLKvFDwR2B9lNKhdu8x9lMbvZg58Olq ga83eTD03s0ysvl1vZ3Qv9U8SzY0cAGyKN/A5eLpcMS3pNF6R1gAGPq3 X-Received: by 2002:a05:620a:440f:b0:8b2:f228:ed64 with SMTP id af79cd13be357-8c9eb1fd8cfmr1670657885a.12.1770075426175; Mon, 02 Feb 2026 15:37:06 -0800 (PST) X-BeenThere: bitcoindev@googlegroups.com; h="AV1CL+FnWT7M3vAioZHK9/uNOkuUJWk89s4FkptVU11oAK7MSg==" Received: by 2002:a05:6214:2688:b0:894:6476:2ca with SMTP id 6a1803df08f44-894faac7558ls52963486d6.2.-pod-prod-07-us; Mon, 02 Feb 2026 15:37:01 -0800 (PST) X-Received: by 2002:a05:620a:1a91:b0:8b9:d540:5365 with SMTP id af79cd13be357-8c9eb27e0b9mr1818463785a.39.1770075421797; Mon, 02 Feb 2026 15:37:01 -0800 (PST) Received: by 2002:ab3:7507:0:b0:2dd:6d3a:22bb with SMTP id a1c4a302cd1d6-2dfc64bf2fbmsc7a; Wed, 28 Jan 2026 10:36:46 -0800 (PST) X-Received: by 2002:a05:6512:23a5:b0:598:e985:21ef with SMTP id 2adb3069b0e04-59e0d8aa943mr152894e87.24.1769625403750; Wed, 28 Jan 2026 10:36:43 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1769625403; cv=pass; d=google.com; s=arc-20240605; b=HHLHs6Wi6SSOxYRf5QMkSRPLEGUbNpK1cjeXrJSTRnSk0mLA3WY896HnoEPLFVY4/U 8BvgXee4SlEs1Gg6Ls4nFr7LaGBEaVXziN9MtqsYpoiwx0qjuyWUaAvjdgY4OOz4Imxz RVsi1UzdnoeHaEW2N+st02C4EA/hRbwjdIgzBEkoSLUh8iVsGD//hPomhIOnZ7rR0YTa BzI6xmOsjI2TiSFFazamR7ZNG+5FouwpMFU/t8/wlEQq9EZE37wkvAwUBO3Jn4F5LBnl rEkhYPV17lsida8OCT2PVyEjYFXbF8XgfCRZMe8CIhxscsB/CR0UaEryL8/WeC4JLs95 W2Yg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=Ht/wCR4A4k1nQOdg9A6h7l1shBEv51uX4rIyBQ+ICUw=; fh=DMP0F9ULS1guKiqimntQRCN8ZraraesEgQuVcn7F0Z0=; b=QkvJmAvcPxMBEa4FRWMuT+EU0Ef2DyCHu+GIW5qttG73kaImKc5nx6q4f0/KTQI/Zl uwIAFltZIqGGfPw2oUfLDnc76Ned/2bJrSt7MjH8rhM8dqi8Ybq63DMBkrkk9Wxxtcgl AT6Zat88vBLqhZQr836O59gJ9xO+1b1jTMKlMvg/avWZj0GDI5dH/tqiOWQRNIy/vo1t 6EIxEgs3cWxpQPE6xtGu/sYhbmBKeOh2Umz9e23miyJHcj/L2imA4ex1UDJleKIaqlEU QsyYXb7/TJmmblIbDHyybex00HffVBpGW5jpdFjDtRxU+WnAj9ZfdT2OthaKspRSiX0k VXng==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@q32-com.20230601.gappssmtp.com header.s=20230601 header.b=s8A0CD68; arc=pass (i=1); spf=pass (google.com: domain of earonesty@gmail.com designates 2a00:1450:4864:20::62a as permitted sender) smtp.mailfrom=earonesty@gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com. [2a00:1450:4864:20::62a]) by gmr-mx.google.com with ESMTPS id 2adb3069b0e04-59e074a9532si82647e87.3.2026.01.28.10.36.43 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 28 Jan 2026 10:36:43 -0800 (PST) Received-SPF: pass (google.com: domain of earonesty@gmail.com designates 2a00:1450:4864:20::62a as permitted sender) client-ip=2a00:1450:4864:20::62a; Received: by mail-ej1-x62a.google.com with SMTP id a640c23a62f3a-b885e8c6727so28680366b.1 for ; Wed, 28 Jan 2026 10:36:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1769625403; cv=none; d=google.com; s=arc-20240605; b=a+LWc7faRJh8Ddu+6UFRm6CQC+azmFGjhWzdOrsUKDqi5GbiARBw3km/fYFcENPr3k eM0vsjSDXuDHbhiEn3Xx4mCOX6zv1e79UPnFnBaVWJHgU2KRmDl1bqhaP/2+upCDs+s3 LI1bdLqqUVyVmuqpKZKBzCWym/dLnSYFEkScIDX2xG8uQdFwsMXazk9JLee8/1r2ov79 mNm6jCdSz2AwE2+RsXXxCir7DIrDUhhIQaotSBe3vh0HtaeoGy3A5LFdolLdOfQYi04N KKiL2PcINbd5ULYhE8UDurFlYw9t+iGwxSENbGwIQVDgzV7cNfibQrnZRwSBOPHt0dUD mMtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=Ht/wCR4A4k1nQOdg9A6h7l1shBEv51uX4rIyBQ+ICUw=; fh=DMP0F9ULS1guKiqimntQRCN8ZraraesEgQuVcn7F0Z0=; b=Q4DBtWwX2NIEbnvQAoIFqTRZ056Q0BFupiq6lWC7CyhRP+GRQe6AZWWIA8r6R/Lh36 TI4F4a9u0eQ1DYdHO7X+uyrYcg1Xptr716XCbe9dvp33zuaRC24yhFH1iUri0MLgPze+ vMOwmKuFdIyXXhZrQSC69gHwUd/zEcMCxilW3UY4PSJgwTz0fZOOxTN1doOonoqkyiCD BBtM2OKcKwDR3U0HEgnHDfRAWb3Jw63+so+9aT+PJ9CIAcT602x6Dusml2yyPr2iyvwq zDTw8Bca7vCzlEDomLohN/cT5CtsVm3aXIGNfkJkxKC5jnPjGSAf5tuNkDyWCDOx3b1Y 1/vQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; arc=none X-Gm-Gg: AZuq6aIGcw17KecHUwzSONRjgHFfqVb3luwpnInWNXIx48yxUYlhDemsx6YHWFdS2db /YlvAnPMY2aG9hLdz+dq7SSia/l6wEpdl8g00fw3HT72QHPosU4ceyvg28JwzHx8QJKlndi3j9B gESsZOuwmO3wfzyjbB6wP6dRVdLZIybpZZsVfWUor+1A9Vh+bm4ivle1iuKBGQutFZxSY5oAyaD TtwaLV3/dswP9TDrO4JgCwhh8IKNWmKAnnGQSQzyv1mXdln2N1Fl3HrSE2zO9rlJ/LzYL1Zv4Hk vIcKjKeBXX/Xl9w0Rrk2PvS4r/pE1o7PkXF2zJIZwPbJKh2RN+OsiiUKmBQkzvUBaQ== X-Received: by 2002:a17:907:9303:b0:b87:2abc:4a2a with SMTP id a640c23a62f3a-b8ddf7fd6d9mr27389666b.1.1769625402310; Wed, 28 Jan 2026 10:36:42 -0800 (PST) MIME-Version: 1.0 From: Erik Aronesty Date: Wed, 28 Jan 2026 10:36:31 -0800 X-Gm-Features: AZwV_Qinwkkij67PNCXnat-5RvHpbOgktKDYQOBDsyu-psuLayJd_hFxBvlCDyk Message-ID: Subject: [bitcoindev] SImple quantum security, at the expense of slower tx time To: Bitcoin Development Mailing List Content-Type: multipart/alternative; boundary="0000000000007d86360649770528" X-Original-Sender: erik@q32.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@q32-com.20230601.gappssmtp.com header.s=20230601 header.b=s8A0CD68; arc=pass (i=1); spf=pass (google.com: domain of earonesty@gmail.com designates 2a00:1450:4864:20::62a as permitted sender) smtp.mailfrom=earonesty@gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.1 (/) --0000000000007d86360649770528 Content-Type: text/plain; charset="UTF-8" Seeking feedback on a simple secret-reveal scheme for a quantum-secure vault. There may be some missing details, but in general, this shows that covenant-protected vaults, with appropriate depth-locks are quantum-resistant. The whole idea involves a two-phase reveal: you must clear one tx to pin the destination and then you can inspect what's been mined, and then, based on that inspection, submit an escape or a final reveal. It uses linear-state as a more flawless quantum security and doesn't require new signature schemes or cryptography-libraries. Assumptions: - OP_CHECKTEMPLATEVERIFY (OP_CTV) is available per BIP119. - OP_TXHASH / OP_CHECKTXHASHVERIFY is available per the current draft proposal, allowing scripts to hash and verify selected fields of the *spending transaction* - Relative timelocks exist (BIP68 / BIP112). - SHA256 preimage resistance holds, even if ECDSA/Schnorr signatures become forgeable. ------------------------------ Threat model: An attacker may: - Forge signatures. - Intercept, delay, reorder, or fee-bump transactions. - Front-run in the mempool. - Exploit shallow reorgs. An attacker may not: - Break SHA256 preimage resistance. - Violate miner-enforced OP_CTV semantics. - Violate miner-enforced OP_TXHASH semantics. - Violate relative timelock rules. - Rewrite deep chain history. ------------------------------ High-level idea: This construction creates a multi-phase envelope that separates: - *who can trigger execution* from - *where value is allowed to go*. Even if signatures are forgeable, funds can only move into a protected Anchor envelope, and from there only along template-bound paths. - Phase 0 funnels all value into a predetermined Anchor envelope (that commits to a secret-reveal scheme, but no destination, using TXHASH) - Phase 1 instantiates that envelope on-chain (attacker could do this... but why?) - Phase 2 either: - reveals a one-time secret to complete a template-bound spend (because spender sees their good TX was mined), or - uses an escape hatch without revealing the secret (because spender sees a bad TX was mined) Phase 0 locking policy: The Phase 0 UTXO enforces the following: 1. Anchor pinning: Any spend MUST create exactly one value-bearing output whose scriptPubKey equals P_anchor. 2. No value leakage: No other value-bearing outputs are permitted. Transaction fees are paid by reducing the Anchor output amount. 3. Fee bound: The Phase 0 script MUST enforce a bound on fee extraction, e.g.: These conditions are enforced using OP_TXHASH, selecting and verifying: - the number of outputs, - the scriptPubKey of the Anchor output, - and sufficient value information to enforce the fee bound. Phase 1: AnchorPublishTx Properties: - Spends the Phase 0 UTXO. - Creates exactly one output: the Anchor UTXO, locked to P_anchor. The Anchor envelope is now instantiated on-chain. An attacker may have triggered this spend... that's ok. ------------------------------ Anchor UTXO locking script shape A Taproot script tree with two spending paths. Path 1: Reveal spend (normal) Conditions: 1. Relative depth gate The Anchor UTXO must have aged by at least k blocks (CSV). 2. Reveal check SHA256(x) == C. 3. Template enforcement The spending transaction MUST match template T via OP_CTV. ------------------------------ Path 2: Escape hatch Conditions: 1. Template enforcement The spending transaction MUST match template E via OP_CTV. 2. No secret revealed The value x is not disclosed on this path. The escape path may be immediately available or time-delayed ------------------------------ Phase 2: SpendAnchorTx - Reveal path witness: x plus any required non-cryptographic data. - Escape path witness: no x. ------------------------------ Security properties - Quantum signature safety Forged signatures do not enable theft. All value is confined to the Anchor envelope before any secret is revealed. - No redirect-after-reveal Once x is revealed, OP_CTV pins the outputs. - Observation is sufficient If an attacker publishes Phase 0 or Phase 1 spends, the Anchor script still contains a usable escape hatch. - Reorg resistance The relative timelock k mitigates shallow reorg games - Graceful degradation A quantum attacker can force execution or cause delay or fee grief , but cannot steal value. Some more information and discussion is on delving bitcoin: https://delvingbitcoin.org/t/a-quantum-resistance-script-only-using-op-ctv-op-txhash-and-no-new-signatures/2168/5 -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAJowKgJnvHr%2BWV7%2B_52prP_QqiL%3D%2BzWe%2BhBMLmsCbO2san2NbQ%40mail.gmail.com. --0000000000007d86360649770528 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Seeking feedback on a simple secret-reveal scheme for a qu= antum-secure vault.=C2=A0 =C2=A0There may be some missing details, but in g= eneral, this shows that covenant-protected vaults, with appropriate depth-l= ocks are quantum-resistant.=C2=A0 =C2=A0The whole idea involves a two-phase= reveal: you must clear one tx to pin the destination=C2=A0and then you can= inspect what's been mined, and then, based on that inspection, submit = an escape or a final reveal.=C2=A0 =C2=A0It uses linear-state as=C2=A0a mor= e flawless quantum security and doesn't require new signature schemes o= r cryptography-libraries.=C2=A0

Assumptions:

  • O= P_CHECKTEMPLATEVERIFY (OP_CTV)=C2=A0is available per BIP119.=C2=A0

  • OP_TXHASH / OP_CHECKTXHASH= VERIFY=C2=A0is available per the current draft proposal, allowing sc= ripts to hash and verify selected fields of the=C2=A0spending transacti= on

  • Relative timelock= s=C2=A0exist (BIP68 / BIP112).

  • SHA256 preimage resistance holds, even if ECDSA/Schnorr= signatures become forgeable.

=

Threat model:

An attacker may:

  • Forge signatures.
    • Intercept, delay, reorder, or fee-bump transactions.
  • Front-run in= the mempool.
  • Exploit shallow reorgs.

An attacker may=C2=A0not:

  • Break SHA256 preimage resistance.
  • Violate miner= -enforced OP_CTV semantics.
  • Violate miner-enforced=C2=A0 OP_TXHASH = semantics.
  • Violate relative timelock rules.
  • Rewrite deep ch= ain history.

High-level idea:

This construction creates a=C2= =A0multi-phase envelope=C2=A0that= separates:

  • who can= trigger execution=C2=A0from
  • where value is allowed to go<= /em>.

Even if signatures are forgeable, funds can only move into a prot= ected Anchor envelope, and from there only along template-bound paths.

<= ul style=3D"margin:1em 0px 1em 1.25em;padding:0px;clear:both;font-family:Ar= ial,sans-serif;font-variant-ligatures:none">
  • Phase 0=C2=A0funnels all value into a predetermined Anchor e= nvelope (that commits to a secret-reveal scheme, but no destination, using = TXHASH)
  • Phase 1=C2=A0inst= antiates that envelope on-chain (attacker could do this... but why?)
    • Phase 2=C2=A0either:
    • reveals a one-time secret to com= plete a template-bound spend (because spender sees their good TX was mined)= , or
    • uses an escape hatch without revealing the secret (because spe= nder sees a bad TX was mined)

    Phase 0 locking policy:

    The Phase 0 U= TXO enforces the following:

    1. Anchor pinning:=C2=A0Any = spend MUST create exactly one value-bearing output whose=C2=A0scriptPubKey= =C2=A0equals=C2=A0P_anchor.

    2. No value leakage:=C2=A0No other value-bearing outputs are permitted= . Transaction fees are paid by reducing the Anchor output amount.

      3. <= li>

      Fee bound:=C2=A0The Phase 0= script MUST enforce a bound on fee extraction, e.g.:

    These conditi= ons are enforced using=C2=A0OP_TXHASH, selecting and verifying:

    • the number of outputs,
    • the=C2=A0scriptPubKey=C2=A0of the Anch= or output,
    • and sufficient value information to enforce the fee boun= d.

    Pha= se 1: AnchorPublishTx

    Properties:<= /span>

    • Spends the Phase= 0 UTXO.
    • Creates exactly one output: the=C2=A0Anchor UTXO, locked to=C2=A0P_anchor.

    The Anchor en= velope is now instantiated on-chain. An attacker may have triggered this sp= end... that's ok.

    Anchor UTXO locking script= shape

    A Taproot script tree with two spending paths.

    Path 1: Reveal spend (normal)

    Conditio= ns:

    1. Relative depth gate=C2=A0The Anchor UTXO must hav= e aged by at least=C2=A0k=C2=A0blocks (CSV).

    2. Reveal check=C2=A0SHA256(x) =3D=3D C.

    3. Template enforcement=C2=A0The sp= ending transaction MUST match template=C2=A0T=C2=A0via OP_CTV.

    <= hr style=3D"box-sizing:content-box;height:1px;overflow:visible;margin:1em 0= px;border-right:0px;border-bottom:0px;border-left:0px;border-top-style:soli= d;border-top-color:rgb(233,233,233);padding:0px;font-family:Arial,sans-seri= f;font-variant-ligatures:none">

    Path 2: = Escape hatch

    Conditions:

      Template enforcement=C2=A0The= spending transaction MUST match template=C2=A0E=C2=A0via OP_CTV.

      No secret revealed=C2=A0The v= alue=C2=A0x=C2=A0is not disclosed on this path.

    The escape path may b= e immediately available or time-delayed

    =

    Phase 2: SpendAnch= orTx

    • Reveal path witness:=C2=A0x=C2=A0plus any req= uired non-cryptographic data.
    • Es= cape path witness:=C2=A0no=C2=A0x.

    Security propert= ies

    • Quantum signature safety=C2=A0Forged sign= atures do not enable theft. All value is confined to the Anchor envelope be= fore any secret is revealed.

    • No redirect-after-reveal=C2=A0Once=C2=A0x=C2=A0is revealed, OP_CTV= pins the outputs.

    • Observ= ation is sufficient=C2=A0If an attacker publishes Phase 0 or Phase 1= spends, the Anchor script still contains a usable escape hatch.

      • Reorg resistance=C2=A0The re= lative timelock=C2=A0k=C2=A0mitigates shallow reorg games

    • Graceful degradation=C2=A0A quantum a= ttacker can force execution or cause delay or fee grief , but cannot steal = value.

    Some more information and discussion is on delvi= ng bitcoin:

    https://delvingbitcoin.org/t/a-quantum-resistance-script-only-using-op-= ctv-op-txhash-and-no-new-signatures/2168/5

    --
    You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
    To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
    To view this discussion visit https://groups.googl= e.com/d/msgid/bitcoindev/CAJowKgJnvHr%2BWV7%2B_52prP_QqiL%3D%2BzWe%2BhBMLms= CbO2san2NbQ%40mail.gmail.com.
    --0000000000007d86360649770528--