Den 15 feb. 2018 17:00 skrev "Tim Ruffing via bitcoin-dev" < bitcoin-dev@lists.linuxfoundation.org>: Consensus rules =============== A decommitment d = chal spends a UTXO with address H_addr(chal), if there exists a commitment c in the blockchain which references the UTXO and which is the first commitment (among all referencing the UTXO) in the blockchain such that 1. k = KDF(chal) correctly decrypts Dec(k, c) and 2. tx = Dec(k, c) is a valid transaction to spend UTXO The UTXO is spent as described by tx. Commitments never expire. I addressed this partially before, and this is unfortunately incomplete. Situation A: Regardless of expiration of commitments, we allow doubles. (Or no doubles allowed, but commitments expire.) If I can block your transaction from confirming (censorship), then I can make my own commitment + transaction. The miners will see two commitments referencing the same UTXO - but can see only one transaction which match a valid challenge and spends them, which is mine. You gained nothing from the commitment. Situation B: We don't allow conflicting commitments, and they never expire. I can now freeze everybody's funds trivially with invalid commitments, because you can't validate a commitment without seeing a valid transaction matching it - and exposing an uncommitted transaction breaks the security promise of commitments. Any additional data in the commitment but hash it the transaction is pointless, because the security properties are the same. You can't freeze an UTXO after only seeing a commitment, and for any two conflicting transactions you may observe it does not matter at all if one references UTXO:s or not since you already know both transactions' commitment ages anyway. Oldest would win no matter the additional data. Commitments work when the network can't easily be censored for long enough to deploy the attack (at least for 2-3 blocks worth of time). They fail when the attacker is capable of performing such an attack. As I said previously, the only completely solid solution in all circumstances is a quantum resistant Zero-knowledge proof algorithm, or some equivalent method of proving knowledge of the key without revealing any data that enables a quantum attack.