Hi Ethan, Thanks for the thoughts. A few comments on the specifics follow.
> I prefer SLH_DSA because it is likely to be well supported outside of Bitcoin > and Bitcoin can benefit from this ecosystem of support in the form of HSMs, > hardware acceleration and software liberties. I agree that reusing an already standardized scheme like SLH-DSA has the real benefit of building on an existing ecosystem and allowing for faster deployment. The downside is that SLH-DSA is less efficient for Bitcoin than alternative hash-based signatures. If this is not intended to be a short-term solution, efficiency considerations (e.g., ~50% smaller signatures) likely outweigh the benefits of an established ecosystem. While the Bitcoin space does have the ability to standardize new efficient schemes and invest in software libraries and custom HSM support, the verification resource constraints of the entire Bitcoin network are much harder to influence. Those costs are therefore a more binding design constraint than ecosystem support, which can be built up over time through focused effort. > Q: Couldn’t you do this without BIP 360 by using Taproot instead and then > disabling the taproot key spend path? > A: Yes, however this would be confiscatory, since Taproot allows key spend > path only outputs. If Bitcoin disables Taproot key path spends before Q-day, then doing this via Taproot instead of BIP 360 would be preferable. It would allow users to benefit from Taproot's efficiency and privacy properties until key path spends are disabled. There's also an alternative that Matt Corallo mentioned to me recently which I haven't seen discussed on the mailing list. We could define a new SegWit version that is a copy of Taproot. The new version number simply signals that the owner consents to a future deactivation of key path spends. Unlike BIP 360, this approach would still require actually disabling the key path before Q-day, but it is not confiscatory and allows using Taproot's benefits until then (with a privacy hit from having two versions of Taproot in parallel). -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/ea3a12db-e3fd-44b2-a22c-b960ed7ec6d3%40gmail.com.
