>To implement Winternitz we need some kind of limited-repeat construct, which
>is not available in SCRIPT, but may be emulatable with enough `OP_IF` and
>sheer brute force.
But what you gain in smaller signatures, you lose in a more complex
and longer SCRIPT, and there are limits to SCRIPT size
I thought about this, but at the time of writing I couldn't come up with
something I thought was substantially better. I spent a few more cycles
thinking on it -- you can definitely do better. It's not clear how much
better Winternitz might be, or if it would be secure in this context?
Here's some
Good morning Ethan,
> > Yes, quite neat indeed, too bad Lamport signatures are so huge (a couple
> > kilobytes)... blocksize increase cough
>
> Couldn't you significantly compress the signatures by using either
> Winternitz OTS or by using OP_CAT to build a merkle tree so that the
> full
>Yes, quite neat indeed, too bad Lamport signatures are so huge (a couple
>kilobytes)... blocksize increase *cough*
Couldn't you significantly compress the signatures by using either
Winternitz OTS or by using OP_CAT to build a merkle tree so that the
full signature can be derived during script
Good morning Jeremy,
Yes, quite neat indeed, too bad Lamport signatures are so huge (a couple
kilobytes)... blocksize increase *cough*
Since a quantum computer can derive the EC privkey from the EC pubkey and this
scheme is resistant to that, I think you can use a single well-known EC
Dear Bitcoin Devs,
As mentioned previously, OP_CAT (or similar operation) can be used to make
Bitcoin "quantum safe" by signing an EC signature. This should work in both
Segwit V0 and Tapscript, although you have to use HASH160 for it to fit in
Segwit V0.
See [my
