Rusty Russell's avatar
Rusty Russell rusty@rusty.ozlabs.org 9 months ago
It seems to me that you could prove a hardened derivation or a BIP-39 derivation. Unfortunately this reveals your secret key, so you need to either use a (quantum resistant!) ZKP, or a two-stage reveal: hash of the proof, what outputs you will spend, and an indication of what address you want to transfer the coins to, then after that is mined, you do the spend at put the derivation in the annex (or, for non-taproot, in an OP_RETURN).
↑ Parent

Replies (1)

Default avatar
targon targon@w11n.de 9 months ago
We could introduce a way to commit a PQ public key as a companion for a sec256k public key, without revealing the latter. A (later) soft fork could enforce that each sec256k signature must be paired with a PQ signature if such a commitment is there. Both the commitment as well the PQ signature could go into a newly introduced section of the blockchain (like the witness) and get discounted to be on par with sec256k signatures. This way the tx rate would not be negatively affected.