Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 0EF35FEE for ; Wed, 24 Jan 2018 15:38:16 +0000 (UTC) X-Greylist: delayed 06:09:48 by SQLgrey-1.7.6 Received: from juno.mpi-klsb.mpg.de (juno.mpi-klsb.mpg.de [139.19.86.40]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 56AC9EC for ; Wed, 24 Jan 2018 15:38:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mmci.uni-saarland.de; s=mail200803; h=Content-Transfer-Encoding:Mime-Version:Content-Type:References:In-Reply-To:Date:To:From:Subject:Message-ID; bh=tWBlhNu95ftPtICqtZS5rJvMbmK0fs2F5dNnHd35bX4=; b=c4VOnb4yb4eWN/jPn2nEIBv3U0r+wUQBiK0dHYLpAB23xLQY92CMZPxaAg/yJmJt3EduQnrQeLMoPpWARs4sX0s0n8ByQ6Z92BaICy957Hq3XoQkLrHFMdmFxotfzP4Iq+DMWLSoJqrObAwVyZWpcdKW8bqDF2Ygu7hiN2bPLuU=; Received: from srv-00-61.mpi-klsb.mpg.de ([139.19.86.26]:41320 helo=sam.mpi-klsb.mpg.de) by juno.mpi-klsb.mpg.de (envelope-from ) with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) id 1eeN7r-0004kY-N3 for bitcoin-dev@lists.linuxfoundation.org; Wed, 24 Jan 2018 16:38:13 +0100 Received: from mbpc48.cs.uni-saarland.de ([134.96.225.161]:57626) by sam.mpi-klsb.mpg.de (envelope-from ) with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) id 1eeN7r-0007NY-HL for bitcoin-dev@lists.linuxfoundation.org; Wed, 24 Jan 2018 16:38:11 +0100 Message-ID: <1516808291.4277.25.camel@mmci.uni-saarland.de> From: Tim Ruffing To: bitcoin-dev@lists.linuxfoundation.org Date: Wed, 24 Jan 2018 16:38:11 +0100 In-Reply-To: References: <20180123064419.GA1296@erisian.com.au> <20180123222229.GA3801@erisian.com.au> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.4 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-MPI-Local-Sender: true X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] Taproot: Privacy preserving switchable scripting X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jan 2018 15:38:16 -0000 On Wed, 2018-01-24 at 13:51 +0100, Natanael via bitcoin-dev wrote: > Sidenote: There's a risk here with interception, insertion of a new > commitment and getting the new transaction into the blockchain first. > However, I would suggest a mining policy here were two known > conflicting transactions with commitments are resolved such that the > one with the oldest commitment wins. How to address detection of > conflicting transactions with commitments older than confirmed > transactions isn't obvious. Some of these may be fully intentional by > the original owner, such as a regretted transaction. Okay, I think my proposal was wrong... This looks better (feel free to break again): 1. Commit (H(classic_pk, tx), tx) to the blockchain, wait until confirmed 2. Reveal classic_pk in the blockchain Then the tx in the first valid commitment wins. If the attacker intercepts classic_pk, it won't help him. He cannot create the first valid commitment, because it is created already. (The reason is that the decommitment is canonical now; for all commitments, the decommitment is just classic_pk.) By the way, maybe I'm stating the obvious but Taproot (or similar) is indeed very nice for outputs generated in the future: You can have a path for a classical signature scheme and a path for a quantum-secure scheme. Best, Tim