Published on: 2018-01-18T21:00:03+00:00
In a discussion about newer and more efficient pubkey types, Gregory Maxwell raises the question of whether these changes would make spending already existing outputs more efficient. He explains that the redemption instructions for existing outputs have already been set and don't incorporate these new features, so people are not forced to expose their funds to new cryptosystems whose security they may not trust. However, if a more efficient system were widely used and universally accepted, it might be plausible to include in a hardfork a consensus rule that lets someone spend scriptPubkey's matching specific templates as though they were an alternative template.The main limitation is that there is some risk of breaking the security assumptions of some complicated external protocol, but this concern can largely be addressed by ample communication in advance. Overall, people should be allowed to opt-in to systems and big changes like that, rather than having developers change what their outputs mean or open them up to new security risks on their behalf.When discussing newer and more efficient pubkey types, the question arises whether they will make the spending of already existing outputs more efficient. Unfortunately, the answer is no because the redemption instructions for existing outputs have already been set and don't incorporate these new features. However, this is good news as it means that no one is forced to expose their own funds to new cryptosystems whose security they may not trust.If sigagg is deployed, any cryptographic risk in it is borne by people who opted into using it. In the case where segwit-with-sigagg has been long deployed, widely used, and is more or less universally accepted as at least as good as an old P2PKH, it might be plausible to include in a hardfork a consensus rule that lets someone spend scriptPubkey's matching specific templates as though they were an alternative template.In other words, an idiomatic P2PKH or perhaps even a P2SH-multisig could be spent as though it used the analogous p2w-sigagg script. The main limitation is that there is some risk of breaking the security assumptions of some complicated external protocol, such as assuming that having a schnorr oracle for a key wouldn't let you spend coins connected to that key.However, this concern seems contrived, and it can largely be addressed by ample communication in advance. For instance, discouraging the creation of excessively fragile things like that, and finding out if any exist so they can be worked around. Overall, it appears that there are no other arguments missing from this discussion.
Updated on: 2023-08-01T22:29:53.403462+00:00