Thank you for the question, Boris. That was an easy one: Short answer is Lamport hashes are protected by long hash of key fingerprint an ECC (Schnorr or otherwise conventional) public-key, which is not published until first transaction. For clarity: HL(.) = serial-work- and memory-*hard* hash with *short* digest (ex.: Argon2 with ~ 12 bytes output. "L" for "Lamport"); HC(.) = nonspecific representation of conventional, serial-work- and memory-*easy* hashes with *long* (brute-force-resistant) digest length. "C" for "Conventional"; KDF(.) = conventional key deriving function ECCPUB = public key correspondent to ECCPRI ECCPRI = KDF(seed, tag) //conventional BTC signing key (could be Schnorr instead) LAMPPUB = HL(LAMPPRIi) LAMPPRI = HL(seed, tag) //Though it is (more) feasible to crack a seed S that works as pre-image to LAMPRI, such seed can only be deemed valid if the public key correspondent to KDF(s) = ECCPUB, so ultimately, cracking seed is still as hard as cracking a conventional seed. ADDR = H(ECCPUB, LAMPPUB) //Conventional BTC key fingerprinting with conventionally used hashes and their respective brute-force-resistant digest lengths TX = plaintext transaction LSIG = HL(TX, LAMPPRI) COMMITMENT = Smart contract stating "This UTXO is frozen until one of the following happens: A) publishing of a L such that HL(TX,L) = LSIG before T2 in which case TX is deemed valid and executed, or B) T2 blocks from now, when miner of LSIG has gets F1+FF1, and the miner of COMMITMENT gets FC, both from UTXO" BL = "Bundle of Lamport scheme" = (TX, LSIG) BC = "Bundle of Commitment and Conventional Signing" = (COMMITMENT, ECCPRI(COMMITMENT), ECCPUB, LAMPPUB) //LAMPPUB is added here to allow easy verification that ECCPUB corresponds to ADDR BT = "Total Bundle" = (BL, BC) F1 = fee offered to mine BL FF1 = fine offered to miner of BL to compensate for delay FC = fee offered to mine BC in case of default T0 = Block height of broadcasting of BT T1 = Block height owner should aim at broadcasting LAMPPRI block ~ T0+1 to T0+6 blocks. This is to protect owner from dissensus (revealing LAMPPRI in a block and have it utilized to forge transaction in a competing block of same height). T2 = Block height of expiration of commitment ~ T0+24 hours to T0+ a few days to protect user from execution of commitment being triggered by innocent unavailability. From ADDR alone, Miners, cannot forge a valid LSIG, nor try to ascertain LAMPPUB or LAMPPRI, because of pre-image-resistance of H(.) and brute-force resistance of ECCPUB before being published. The saving happens because, safe from T2 passing without LAMPRI being broadcasted, only BL and LAMPPR, and not BC, end up in Blockchain. The proposed scheme, therefore allows for only 1 instance of Lamport schemed-based economic transaction, which has to be the first transaction of ADDR (because of publishing of ECCPUB). After this first transaction, ADDR is stil valid, just no longer able to issue transactions. The proposed scheme, therefore, favors the good practice of non-address reuse. YSVB Sent with Proton Mail secure email. On Tuesday, December 19th, 2023 at 1:45 AM, Nagaev Boris wrote: > On Mon, Dec 18, 2023 at 7:44 PM yurisvb@pm.me wrote: > > > I beg to disagree: key owner broadcasts first bundle (let's call it this way) so that it is on any miner's best interest to include said bundle on their's attempted coinbase because they know if they don't any other competing miner will in the next block. > > > What if an attacker broadcasts the first bundle? He spent a lot of > time cracking the hash which is the part of the address in the > proposed scheme. Then he cracked the second layer of hashing to have > both hashes ready. If the utxo has enough sats, the attack is > economically viable. > > > -- > Best regards, > Boris Nagaev