ZmnSCIPxj, I think you're missing the general point, so I'm just going to respond to one point to see if that helps your understanding of why OP_COSHV is better than just pre-signed.
The reason why MuSig and other distributed signing solutions are not acceptable for this case is they all require interaction for guarantee of payout. In contrast, I can use a OP_COSHV Taproot key to request a withdrawal from an exchange which some time later pays out to a lot of people, rather than having to withdraw multiple times and then pay. The exchange doesn't have to know this is what I did. They also don't have to tell me the exact inputs they'll spend to me or if I'm batched or not (batching largely incompatible with pre-signing unless anyprevout) The exchange can take my withdrawal request and aggregate it to other payees into a tree as well, without requiring permission from the recipients. They can also -- without my permission -- make the payment not directly into me, but into a payment channel between me and the exchange, allowing me to undo the withdrawal by routing money back to the exchange over lightning. The exchange can take some inbound payments to their hot wallet and move them into cold storage with pre-set spending paths. They don't need to use ephemeral keys (how was that entropy created?) nor do they need to bring on their cold storage keys to pre-sign the spending paths. None of this really works well with just pre-signing because you need to ask for permission first in order to do these operations, but with OP_COSHV you can, just as the payer without talking to anyone else, or just as the recipient commit your funds to a complex txn structure. Lastly, think about this in terms of DoS. You have a set of N users who request a payment. You build the tree, collect signatures, and then at the LAST step of building the tree, one user drops out. You restart, excluding that user. Then a different user drops. Meanwhile you've had to keep your funds locked up to guarantee those inputs for the txn when it finalizes. In contrast, once you receive the requests with OP_COSHV, there's nothing else to do. You just issue the transaction and move on. Does that make sense as to why a user would prefer this, even if there is an emulation with pre-signed txns?
_______________________________________________ bitcoin-dev mailing list firstname.lastname@example.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev