Den 25 jan. 2018 00:22 skrev "Tim Ruffing via bitcoin-dev" <bitcoin-dev@lists.linuxfoundation.org>:

I think you misread my second proposal. The first step is not only to
publish the hash but to publish a *pair* consisting of the hash and the
transaction.

If the attacker changes the transaction on the wire, the user does not
care and will try again.

I guess I assumed you meant it otherwise because I didn't assume you intended a commitment to the full transaction just without the asymmetric key material. 

You could treat it the same way as in my suggestion, let it expire and prune it if the key material isn't published in time. 

However... A sufficiently powerful attacker can deploy as soon as he sees your published signature and key, delay its propagation to the miners, force expiration and then *still* repeat the attack with his own forgery. 

Honestly, as long as we need to allow any form of expiry + relying on publication of the vulnerable algorithms result for verification, I think the weakness will remain. 

No expiration hurts in multiple ways like via DoS, or by locking in potentially wrong (or straight up malicious) transactions.

---

There's one way out, I believe, which is quantum safe Zero-knowledge proofs. Currently STARK:s are one variant presumed quantum safe. It would be used to completely substitute the publication of the public key and signatures, and this way we don't even need two-step commitments. 

It does however likely require a hardfork to apply to old transactions. (I can imagine an extension block type softfork method, in which case old UTXO:s get locked on the mainchain to create equivalent valued extension block funds.)

Without practical ZKP,  and presuming no powerful QC attackers with the ability to control the network (basically NSA level attackers), I do think the Fawkes signature scheme is sufficient. Quantum attacks are likely to be very expensive anyway, for the foreseeable future.