From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 23 Feb 2026 11:19:53 -0800 Received: from mail-oa1-f60.google.com ([209.85.160.60]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1vubTE-0003lV-TD for bitcoindev@gnusha.org; Mon, 23 Feb 2026 11:19:53 -0800 Received: by mail-oa1-f60.google.com with SMTP id 586e51a60fabf-40450320b4fsf21084274fac.0 for ; Mon, 23 Feb 2026 11:19:52 -0800 (PST) ARC-Seal: i=3; a=rsa-sha256; t=1771874387; cv=pass; d=google.com; s=arc-20240605; b=K7TUK+c1ekOcEYSAeieLPd4pavjZZg5hrKYiIg4qJ/G1SSgti76W13SpG6V7qlL/R3 MBSsUENAeE6mrZpeDfU/9OOqde90iLDpzp84BsOww7qTUEVUVdDP5y8eiujiExKCb4wr gkXG2rDQip5u12p3p60tUYqJatsnj8ZY+9fqMwabYiNQooUDrzqORwdxw5iNcEh1xcAK p29n+wInUwVhpf7j0EL3gKyWJZ9Be+4ulMeq3qRmo8LwjABfLwmzYwMXwZoZIADKN2Nx wgkf5hF7ew4xAtjVky1agjBL7E+hISHtKEuuWI6IwoNtVmAwfBu3rmHy2Wu0l5EOmfMP K2Yw== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:sender:dkim-signature; bh=Ybt8AyNaPtef+0Cgh4UwV48FhbkdMFwZC/LVUQ5RA40=; fh=ujkn/tQWa9V1sj/kyoa/caH8DylyNPuMtOh5rtnvjkg=; b=GrHdh6DjzbbxaonOIdt6biUaHv9zn35W227TTuV/RZT6KZQ97vuEHb9thpK4TDq8cM 2SfN4pQWEJHWhUfTQ/Y/Cu4ActWeeN+P7F3nn9vX9rlUKZdwB4eqklvbUUAxBAJ519M9 +j+0E9Puv3df5xB47f37W8fDVXoVcjkYsCUsiBdcgwsJPVeenoUmAnxkExKv+z0dZ0Pd hbdBVTNeFyXbm5seZ3uL7TfsHyOPsmaJMvyy3/I/BzFQlD90lpjnFpbO+MEEXKLkSsXT A82Uy3LNaNX7KRCysGx6n39g6R/GzPtHIK787rt8x8WilW723PUa66R5Qt8i3hXeTjpj NHqQ==; darn=gnusha.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@q32-com.20230601.gappssmtp.com header.s=20230601 header.b="f2o8ov/6"; arc=pass (i=1); spf=pass (google.com: domain of earonesty@gmail.com designates 2a00:1450:4864:20::52e as permitted sender) smtp.mailfrom=earonesty@gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1771874387; x=1772479187; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:sender:from:to:cc:subject:date:message-id :reply-to; bh=Ybt8AyNaPtef+0Cgh4UwV48FhbkdMFwZC/LVUQ5RA40=; b=KrlfOKzZDqiur3ZzlitoRKIRBbIkAFhV7XDrkEV/tnvYgRU/uzGs+ak3nj27pBmALr Hqi2FC1wbDrhFredXCvyJlfqtC3Gwg15KWfdi16MMNOhaNvs8Nd8hjzW8hPFhCEEO4cB 3gYL73imdV9VPchIOovm7MKm8eNnAnkq/zMeJY5Xx8Gp+uMSe9a57nj7lLJGWjFCDUWD 5uHwAtsfRN5vxBMQnAeITrFTpHuCOjg9cSqkcxzEZyo5VPj4yigz1HbpVlPRs15Mwa/+ 60BxRKY9ETWiqEg0VmDlQI1Mbkoa3dDEDd/MJo+2q45UBEg6xlalQc2FHetSCHOEBf47 UTPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771874387; x=1772479187; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:x-gm-gg:x-beenthere:x-gm-message-state :sender:from:to:cc:subject:date:message-id:reply-to; bh=Ybt8AyNaPtef+0Cgh4UwV48FhbkdMFwZC/LVUQ5RA40=; b=LPW9dTlLzST7ncqnHjlahD/a1xQNAy6xda+RCSmceXRwzghLVEvFlYg11Ne1AO8JZb fDyjsd/FDLYKnCyuOvC01I+eYgFb3UsxemXI95kOcJm19yunRO8KWIwtZVty8OxxflTa s8RUnYARVdhqzcgm08NAFWnCQMfvXG8UKSDfVPj1lC0VDL4zRTXUm96MPZDy0+JBUj5G EQCmcI+mCxjcgB7/Wb3vk9hAxMJOXZ9uhKuQ3emqWPZ75YbkSiIz8dpO8ssfuRPOomDb FvBC0SsZOKalDS/K4BGDIaVzy46kYdr1we7Fs98NfMXKuDWDB3d3ZbROEFocT0Fddt6G uVCA== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=3; AJvYcCXuQBUsyNic/e9O3gVn0YyzpiiCG0U1x9AKQrF+tDKpBcagfQmM0DdzWh1Kjr+LSHRlmG+/HHAJD/cS@gnusha.org X-Gm-Message-State: AOJu0YyG7nFX2+z7v3Kca6QO0dU4hBhaFb86AMzw7q7+7mpSqO8Xbjsg KpJkR/B5nG6HCIbOgT+stHn6iaySyYQllbluPLZGxSzh2Jm0gp0kYUfE X-Received: by 2002:a05:6870:41c7:b0:40a:5c2c:c689 with SMTP id 586e51a60fabf-4157b13250emr5588426fac.44.1771874386822; Mon, 23 Feb 2026 11:19:46 -0800 (PST) X-BeenThere: bitcoindev@googlegroups.com; h="AV1CL+HQYWMCmkuMYYpOhKczOPVMSBDYcqgfPZgMWKuLYH5bbw==" Received: by 2002:a05:6870:32cb:b0:40e:b5a8:d871 with SMTP id 586e51a60fabf-40eca72f768ls6340196fac.2.-pod-prod-02-us; Mon, 23 Feb 2026 11:19:41 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCV2586iVXo/IFdR5DQad4hMRXim4EtOaA/KswqIOCauSS0dLvDntqCOdQx8NK6FJ1kV6HxoA3pzODHX@googlegroups.com X-Received: by 2002:a05:6808:1719:b0:45e:bfc6:2303 with SMTP id 5614622812f47-4644613c6bfmr4680818b6e.7.1771874381747; Mon, 23 Feb 2026 11:19:41 -0800 (PST) Received: by 2002:ab3:6f15:0:b0:2e5:dca6:8eb2 with SMTP id a1c4a302cd1d6-2e5e540c876msc7a; Mon, 23 Feb 2026 11:08:32 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCUK4YQ/ju8SB2oQs8mcBA8kmnUUNIkxytKQXrK7gG/AXn2Whqu7nF0Wy+stRJ0mZjWXV+2GnMKL5B2H@googlegroups.com X-Received: by 2002:a2e:a54e:0:b0:382:ff8c:c9c3 with SMTP id 38308e7fff4ca-389a5aaa333mr28288921fa.3.1771873709644; Mon, 23 Feb 2026 11:08:29 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1771873709; cv=pass; d=google.com; s=arc-20240605; b=ZrwOHcZIl0iK7U/hz03wZMJ6vtT5IqL/+I4xekfUCq6/YI3gsTSpI3j+f2GIdHeE9n 8/TWeilqyKKwtmfF/KibbUkDW7pnS0eMOMIqJT5nzWR9AuRvFlIUUPiSRtkAACbl/YzT 86LVOWJtm8++GqVWzzoHGkmIyrInFxjIakJNr0SA1OwKiLSUcieT/H27QHWYtfEuux7p KF2cwiaMbUNwtssD+5dBHEuccLyTmd5HmQEFi+T8u4xCGCnjyTpe4oI2BkId9paa2wAb MFY+sk7idDWocBO0/AT0unYk2WjU/re4tH5/Cuykt/EIBUC/gwD0mi7m2N+wI75vdBsN Od9g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=ARUPQyAp5RexwoEiMQbPIl1m2QPO8AzS0mz3tounIsw=; fh=W9xHAa5bjZAK14WacDiL7qsvvlpswLXoyiitjlj6gtc=; b=K/lxhTTsjm6ynqtENEAeojjDRQukS22RCzBzeQnjGDvdDmFwnyeTf2h9/JV70ByCYU t83dhPpq6a/TC6gasUUoeX+sQF4dnePxHb0k1PJ7bHsjxufIZRwLeDKMDVehHrKFavJc Ib8wOXMJD3fCFVGMYiKpkI6gfNz+QzzbKB8g52rnC3ywtlaHQsr4Z0U5bO3QK+xMTUkf v/DmPDRiDt87G3ifYI4bYpe1Iz5mxafj7hw6Wm4xcWKUkk+RQJVTQjoXJ632OcaPF5gp P69v0IiJNSNJDs1cvR8Mm0rxrMdpRtuQAUAOFvD4imfAGkQ3RAB0iH9rFPYr2DUR6Mhx Cmiw==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@q32-com.20230601.gappssmtp.com header.s=20230601 header.b="f2o8ov/6"; arc=pass (i=1); spf=pass (google.com: domain of earonesty@gmail.com designates 2a00:1450:4864:20::52e as permitted sender) smtp.mailfrom=earonesty@gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com. [2a00:1450:4864:20::52e]) by gmr-mx.google.com with ESMTPS id 38308e7fff4ca-389a785b67esi1677431fa.2.2026.02.23.11.08.29 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 23 Feb 2026 11:08:29 -0800 (PST) Received-SPF: pass (google.com: domain of earonesty@gmail.com designates 2a00:1450:4864:20::52e as permitted sender) client-ip=2a00:1450:4864:20::52e; Received: by mail-ed1-x52e.google.com with SMTP id 4fb4d7f45d1cf-65c4152313fso5397846a12.1 for ; Mon, 23 Feb 2026 11:08:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1771873709; cv=none; d=google.com; s=arc-20240605; b=OajxKApbZVs/8ylBHMdf3Gc6GlMwpgq7xjMZxtdTKGWcZ5kVJnVt94T6fOkHdHDU51 CYoRC/AD5RzkKQqpG8/2I2UlCQOfoeCqwzo0Gbv9eh06ENWMuAHOnUrBcPXPE3HlwWj6 +7ncbkiTUN6WkDMeJzwWPIwwC5URQ/+WiprwHArtxWHyRybXdboplTVoYa14os92zcIf HX1oNTDPKiBcQbVuR5eMYM2InuxRjkux1tvi6VwReLiIRkD15c2R1lY+CtQmA4OhbzPc 2qDtfxyhcNN68kCBnSQ/mf38T+GTG1qhRnktZFyx1p7LCSblSOFpWLJ6aPPrZ/Wj090i U83A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=ARUPQyAp5RexwoEiMQbPIl1m2QPO8AzS0mz3tounIsw=; fh=W9xHAa5bjZAK14WacDiL7qsvvlpswLXoyiitjlj6gtc=; b=CDfHBPqp1zh+PoC+1L7Q9oOL7sNIIGdfHk9I3VXXoafD3HyOT2/hGUy20xOiQpLy3W o/8yeQb2bXc1AORJcHPxDgANKQzvn3AuAATs/pBnqS1mm3/z/6BWAx/BVNOvrENBlAEv gamLMtB8pvFXfSNGjHIDYqykl3IV/m/UZC3poUvZRSyLc5oQwnCyiHeLNzq7zaSxhmaB ajVWINBfK92d1+A7cfHWZmP2hy5CPS+A8ZEzNr5cvxZJZw9XpnV+jptHdLXy37hvqp7H BRNIaDI6FQEalPsvrAJMliDKSb73PluN9IJG47IeQSUfVnDD5hPqxCbQWOf1PuC9Tp8M j5Ow==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; arc=none X-Forwarded-Encrypted: i=1; AJvYcCUcnTzVBRNyBcXkXDuoyMHHlDsksKWIZlLECZGfk5S5SiVnIrl5Cj2kWoOIlQaX0ZTQCn4G4LEEyb+q@googlegroups.com X-Gm-Gg: AZuq6aLd9bbd13HwuULFlFa2535yctgajBnAziRjRr9vGPh2/t6Ga70YmjW0zcbPl7n VbnC2tO0UnBzIWwfq8hNakK2brSTDbvNTOosnM9Sf8bMafFg4EzrATQb/yoQvUdwtaRdVPrtvKt j9v5RLSooLkuiA0X5yqLJCDm3/mHGj/V2TZ/M7A1CO5i3tAdmwAkxJI0q6Vew2A3w1xypJyK2Zr HEaa7ZfpIk9Y17aqQibI3JSLL4MT8vTBMjFEXVqrtUhjNz6mf+8BWsdTRav1xl57Oyhb3aAKlET 2vi8cTy1aPkBftBIHFu3gA08F2GhoPVapyIW62IB+cDCSUKqeVw6UB1E X-Received: by 2002:a17:906:4455:b0:b8f:8ff5:45d with SMTP id a640c23a62f3a-b9081c19dd5mr440029466b.53.1771873708591; Mon, 23 Feb 2026 11:08:28 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Erik Aronesty Date: Mon, 23 Feb 2026 11:08:17 -0800 X-Gm-Features: AaiRm51Ny89mjlH0KWaulwTF7i_wOBg3CAwKzoHrhxmme-u9E7Y0krog8GFEKxY Message-ID: Subject: Re: [bitcoindev] Algorithm Agility for Bitcoin to maintain security in the face of quantum and classic breaks in the signature algorithms To: conduition Cc: "garlonicon@gmail.com" , Ethan Heilman , Jonas Nick , bitcoindev@googlegroups.com Content-Type: multipart/alternative; boundary="000000000000fcccd8064b827e1d" X-Original-Sender: erik@q32.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@q32-com.20230601.gappssmtp.com header.s=20230601 header.b="f2o8ov/6"; arc=pass (i=1); spf=pass (google.com: domain of earonesty@gmail.com designates 2a00:1450:4864:20::52e as permitted sender) smtp.mailfrom=earonesty@gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.7 (/) --000000000000fcccd8064b827e1d Content-Type: text/plain; charset="UTF-8" > > > > I'd be excited to learn about this as an option. Erik, could you please > answer my previous questions about the viability of your linked protocol? > I'm not questioning its quantum-resistance properties (yet). I'm wondering > how it is possible to instantiate this scheme in a way that allows a wallet > to actually use this commit/reveal scheme without knowing the final > destination CTV templates (denoted T & E in the delving post) in advance of > creating the phase 0 locking script. > I provided an example script that shows how it works: https://gist.github.com/earonesty/ea086aa995be1a860af093f93bd45bf2. you don't pin to the final destination in phase 0. txhash is a partial-commitment, not over all fields. this give the flexibility needed for the final spend, since you don't commit to it. however someone has pointed out a fee-problem that CCV's value-aware composability can solve. coming around to thinking the ccv-based construction would be necessary. CCV is more powerful but requires much more care in policy and analysis. CTV is trivial, we could merge it tomorrow and hardly worry about surface area issues. TXHASH is only slightly more complicated. CCV has a much bigger burden of proof around implementation and node safety... but i think you could do many kinds of vaulting schemes with it alone. But in the case of hash-based signature (HBS) schemes, i disagree. HBS is > already mature. Whatever cryptanalytic breakthroughs the future holds, we > can be reasonably sure that SHA256 preimage resistance will hold for a long > time, so HBS security will hold. Even today md4 and md5 preimage resistance > still holds. Securing coins using hashes alone is the ideal fallback, and > even if HBS is not the most efficient class of schemes, that doesn't matter > so much if we don't use HBS as our primary everyday signature scheme. Its > value lies in security, not efficiency. > When I mean "too soon", I'm including SPHINCS, not sure what 1. Earlier versions of the SPHINCS framework were found to be susceptible to fault attacks 2. Earlier "Tight" proof for v1 SPHINCS was flawed, leading to 60 bits of security, not 128 > If you're worried about stuff like how xpubs would work with HBS, we have solutions for that too, and they are mostly drop-in replacements for existing standards. I thought "tweaking", in general, is lost in SPHINCS, as well as multiparty sigs. Be interested to see those solutions. But, regardless, 17kb sigs are... not compatible with a decentralized bitcoin, imo. Lattice-sigs are the only reasonable PQ way forward and they aren't ready yet. -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAJowKgL%2BYMWSgEPcVF-u8bNvPFK35cY-3cHtimWD2mtXdDhUzQ%40mail.gmail.com. --000000000000fcccd8064b827e1d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


I= 9;d be excited to learn about this as an option. Erik, could you please ans= wer my previous questions about the viability of your linked protocol? I= 9;m not questioning its quantum-resistance properties (yet). I'm wonder= ing how it is possible to instantiate this scheme in a way that allows a wa= llet to actually use this commit/reveal scheme without knowing the final de= stination CTV templates (denoted T & E in the delving post) in advance = of creating the phase 0 locking script.

<= /div>
I provided an example script that shows how it works:=C2=A0ht= tps://gist.github.com/earonesty/ea086aa995be1a860af093f93bd45bf2. you d= on't pin to the final destination in phase 0.

txhash is a partia= l-commitment, not over all fields.=C2=A0 this=C2=A0give the flexibility nee= ded for the final spend, since you don't commit to it.=C2=A0 =C2=A0
=
however someone has pointed out a fee-problem that CCV's value-awar= e composability can solve.=C2=A0 =C2=A0coming around to thinking the ccv-ba= sed construction would be necessary.=C2=A0 =C2=A0CCV is more powerful but r= equires much more care in policy and analysis.=C2=A0 CTV is trivial, we cou= ld merge it tomorrow and hardly worry about surface area issues.=C2=A0 =C2= =A0TXHASH is only slightly more complicated.=C2=A0 CCV has a much bigger bu= rden of proof around implementation and node safety... but i think you coul= d do many kinds of vaulting schemes with it alone.


But in th= e case of hash-based signature (HBS) schemes, i disagree. HBS is already ma= ture. Whatever cryptanalytic breakthroughs the future holds, we can be reas= onably sure that SHA256 preimage resistance will hold for a long time, so H= BS security will hold. Even today md4 and md5 preimage resistance still hol= ds. Securing coins using hashes alone is the ideal fallback, and even if HB= S is not the most efficient class of schemes, that doesn't matter so mu= ch if we don't use HBS as our primary everyday signature scheme. Its va= lue lies in security, not efficiency.

When I mea= n "too soon", I'm including SPHINCS, not sure what

1.=C2=A0Earlier versions of the= SPHINCS framework were found to be susceptible to=C2=A0fault attacks
2. Earlier= "Tight" proof for v1 SPHINCS was flawed, leading to 60 bits of s= ecurity, not 128

> If you're worried about stuff like = how xpubs would work with HBS, we have solutions for that too, and they are= mostly drop-in replacements for existing standards.

I thought "tweaking", in general, is lost in SPHINCS, as well = as multiparty sigs.=C2=A0 Be interested to see those solutions.=C2=A0 =C2= =A0But, regardless, 17kb sigs are... not compatible with a decentralized bi= tcoin, imo.=C2=A0 =C2=A0Lattice-sigs are the only reasonable PQ way forward= and they aren't ready yet.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/= msgid/bitcoindev/CAJowKgL%2BYMWSgEPcVF-u8bNvPFK35cY-3cHtimWD2mtXdDhUzQ%40ma= il.gmail.com.
--000000000000fcccd8064b827e1d--