> > 12% embedding rate
> Where do you get that number from? 33% for embedding 256 bits in (P, R,
s) (but as per this discussion, according to me, at the cost of key
leakage). If we include the other bytes in a (taproot anyway) utxo that's
not much less, I guess 30% ish. I could try to guess but it'd be easier if
you told me :)
Thinking about it again: to publish data, you have to publish a
transaction! I guess the most economical, paying taproot to taproot, is
about 192 bytes with script path plus the posited extra 64 for the (R,s) in
the output, so yeah that'd be 32 out of 256, 12.5%. Isn't the figure a bit
different for key path though, because no control block? Well it hardly
matters, it's some small fraction in that range.
An interesting mechanical detail in this near-absurd scenario is that if
you wanted to repeatedly publish off the same (presumably a few multiples
of dust level) output, you couldn't also do the leak single key thing,
since you'd lose control to re-spend. So that'd place us in the "explicit
multisig" scenario that Greg mentioned, which I think would only make sense
with legacy script? Kind of a different scenario, also it would be really
weird to update legacy script to take into account a new "you must sign the
pubkeys" rule. Though I guess in this fictional scenario, it might happen
like that. If you did do it with legacy, you'd be publishing bare 2 of 2
multisig. If you did it with taproot due to how that works, the script is
not published until the output is spent, so I think that's outside what I
was considering ("data in utxo set"). (I guess you could also use something
like a hash lock which might be more efficient). So anyway if you wanted to
do this repeatedly and minimize cost, for whatever strange reason, you'd be
adding another 50-100 bytes each time bringing that % down to like 10% or
less.
But that all became way too hypothetical to even analyze properly :)
Anyway just to reemphasize I certainly wasn't advocating this sig-attaching
system, but it seems important to know what the result of it would be: we
would still not have changed the obvious reality that embedding data in
witness gives more space for data, and is more economical, and we would
only reduce by a big factor how much can be embedded in outputs (anything
from 8% to 15% embedding rate seems possible depending on the hypothetical
details), while having to screw up much of Bitcoin's functionality in the
process.
Cheers,
AdamISZ/waxwing
--
You received this message because you are subscribed to the Google Groups
"Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/bitcoindev/cf15c24e-18d0-4221-a3d4-4177c82a6381n%40googlegroups.com.
