On Thu, Jun 04, 2026 at 11:01:25AM +0000, Peter Todd wrote: > On Thu, May 28, 2026 at 10:25:51AM -0700, Murch wrote: > > One-time signature schemes are not well-suited for Bitcoin because they: > > - cannot be used to participate in multi-user transaction (as another > > participant could fail the process and force a second signature) > > - incur lost funds or lost keys upon address reuse (as every node would need > > to track every output script to prevent duplicates, and the recipient has no > > say in their output script being sent to another time) > > - are incompatible with transaction replacement (zero-conf enthusiasts > > rejoice!) > Note that you can design a message signing scheme where you can use a pubkey > to > sign a merkle tree of messages. In the case of a transaction, multiple > conflicting versions of the transaction with different fee rates.
There's a balance to be had between what's considered part of the message signing scheme versus what's part of the scripting language. The scheme above could also be thought of as signing a single message "spend this utxo is valid if this script's conditions are meant", where the script is "or(fee <= 0.5, and(nSequence >= 100, fee <= 1.0), and(nSequence >= 1000, fee <= 30.0))" Delegating to a signed script like this is essentially the "graftroot" concept. Cheers, aj -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/aiKAytZNfih0ABff%40erisian.com.au.
