Hi Pieter,
Thanks for the observations.
When I was saying there is a problem with the game theory,
it's that strikingly, any activation of the tripwire logic
would rely on a "flag" transaction being mined in the chain
for the network nodes starting to enforce at the block N or
N+1 or whatever the EC disabling threshold.
Any "flag" transaction can be itself re-orged out of the chain
to purely disable the effects of the EC disabling threshold,
therefore make it null and void as an effect. One might see
it as a competing race between a group of "sunsetting" users
and a (majority) coalition of miners in coordination with a
CRQC adversary, where the latter have an interest and the
hashrate capabilities to do a tx-withold [0].
In pure terms of satoshi fee denominated calculus, empirically
global miners have won an average of $20 B yearly. If we only
consider that P2PK are going to be frozen by the tripwire effect,
as for most of them it might be assumed they will never move to
a safer format, we talk already about 1.7 M of coins or as of
today valuation $107 B (the information is on the chain and can
be verified).
That's $107B can "burn" in revenue or income that a CRQC-enabled
miners coalition to constantly reorg-out the "flag" tx out of the
chain. In other terms, something like 5 years of income, and I
kindly do not count all the loss coins that are likely to amount
to a far bigger "tripwire" neutralization budget.
In the name of what a majority of miners will gracefully let on
the table an opportunity of massive income ?
Leveraging Shor the exploitation might be even done anonymously
as the mining process is done. Not even certainty, by who the
EC-protected coins could be covertly exfiltrated.
That's the most striking problem when you think about the math
with any "tripwire" approach, or even an "hourglass" one relying
on a "flag" transaction [1]. I'm ruling out "checkpoints" and
any other trust-the-dev approach, as that's even worst [2].
As you're introducing post is resounding, what the miners
are saying now, there are no guarantees on how they would use
their hashrate down the road, potentially 10 or 20 years from now.
Beyond, and to answer back your point, I still think you can
manage an escape hatch of the "tripwire" effect, it's all depends
how the script tripwire logic is implemented, but if you have
two OP_SUCCESS of different kinds before your EC CHECKSIG, you
can always have a "soft-fork" after the "tripwire" to return
true on the stack, with an EC or hashlock as a success (I agree
using undefined op_success in a script is not safe at all) [3].
Best,
Antoine
OTS hash: 4bc91d8dee1625f6e78b27c88bced8e405f25ef6d3d8fd59be8016db5b0fbe66
[0] See naumenkog's
https://www.bitmex.com/blog/txwithhold-smart-contracts[1] This is sad, as the "hourglass" depending how the parameters are chosen
was a more acceptable trade-off than pure sunsetting.
[2] Given the amounts at stake to sunset, as a group of developers you
would just paint yourself a target, there are more even funds at stake
that Satoshi herself / himself is assumed to have.
[3] There is no security proof in BIP341 on the unforgeability of the
NUMS point, if it binds in the ROM or whatever.