P2TRH doesn't protect against short exposure attacks.
Matt Corallo's approach basically breaks the entire existing Taproot ecosystem because nobody is using PQC opcodes.
Anyway, I guess the alternative is to wait for the Binance cold wallet to get hacked and then everyone rushes to move their funds using private mempools that have limited capacity.
Either that or we wait until a perfect algorithm that does not yet exist gets FIPS-certified within the next 5 years.
Not sure what else to say other than I guess we just let perfect be the enemy of the good until it's too late.
Anyway, I'll keep working on this in the meantime until it's needed.
Thanks for all the support, guys.

On Wednesday, March 12, 2025 at 6:41:09 AM UTC-6 Jose Storopoli wrote:
I think that ECDSA was a mistake in Bitcoin (Schnorr patent expired in 2008; but I do understand its motives).
My fear is that this BIP will become a mistake in Bitcoin in 15 years or less.

It adds orders of magnitude to public keys sizes and/or signature sizes; and verification computation cost.
About the whole QR cryptography hype:
one thing is to do have key encapsulation QR schemes in symmetric-key cryptography where we don't have tight constrains around storage,
like with TLS, or E2EE messaging apps.
Another thing is to add these huge public key and signature schemes to a storage-restricted blockchain like Bitcoin.
QR lattice-based asymmetric-key cryptography is still in its infancy both in standards and research; and we should wait.

If we are worried about quantum menaces, a much better approach would be the P2TRH (Pay To Taproot Hash),
even with the loss of batch verification, combined with advising users to not re-use address.
Address reuse should be treated the same as nonce reuse: you get pwned!
Or Matt Corallo's emergency disable of key path spends in P2TR;

Jose Storopoli

On Monday, March 3, 2025 at 6:55:19 PM UTC-3 Hunter Beast wrote:
Hi, Jonas

In order to spend the coins, a valid signature will need to be present in the attestation. Even if it's a 1/1024 multisig, a valid public key signature pair will need to be provided. The merkle path would then be how the arbitrary data could be encoded. In my mind this is a highly impractical scenario that gets exponentially more complex, and only works 32 bytes at a time.

Does that make sense?

Hunter

On Wednesday, February 26, 2025 at 3:00:36 AM UTC-7 Jonas Nick wrote:
> it would require an extraordinary amount of computation to wind up with enough
> to store arbitrary data.

I have no idea why this would require extraordinary amount of computation. In
the example I provided, arbitrary data can be included in the attestation
structure with zero additional computational cost, no elliptic curve grinding or
hash collisions required.

--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/ae919b55-cd35-40a1-95a3-96551eadec9an%40googlegroups.com.