Thanks man! i'm glad to see the library is going to get some use 😃

A numeric DLC oracle publishes a set of nonces, one per digit, for some future price/time/asset-pair event. Then when that time rolls around in the future, it signs each digit of the price using one of those pre-announced nonces, plus the oracle's static signing key. I think @Vitor Pamplona 's approach here is to simply sign a price inside by virtue of its inclusion in a signed nostr event object.

I really like the NIP88 proposal you linked, i've done some work on it and the draft seems like it'd fit most people's needs. I'd be in favor of standardizing the oracle events (kind 88 and 89), but not the DLC offer/accept events (kind 8888, 30088). I think we should spend more time improving the performance and privacy of the dlc specs before standardizing those messages downstream in Nostr.

The oracle messages are important to get started on right away, because without a vibrant market full of trustworthy oracles, nobody is going to use DLCs. Walk before you run, right?

https://github.com/nostr-protocol/nips/pull/919

perhaps one day, my nostr client can fetch announcements for tomorrow's bitcoin price from 9 different oracles, and use it to create a multi-oracle DLC offer which anyone on the same relays can accept. But for now i'd be happy with simply having nostr as an oracle platform which other apps can build off.

I definitely agree, taproot approach is much better. I updated my post to point to yours. DASK is neat but I don't think we need to be that fancy, and your Taproot approach is more soft-fork friendly.

I do still think using a lighter-weight signature scheme like WOTS for certification would be better and more future proof than committing directly to SPHINCS right now.

If we do end up wanting to use SPHINCS in 20-30 years, it'd still be an option: Just enforce that the WOTS key must sign a SPHINCS pubkey, and verify everything else against the certified SPHINCS key. That would only add a kilobyte to the already-huge SPHINCS signature data.

Think of it this way: if you're correct and this is just an edgecase fallback opcode that only a few people ever end up using, then do we really want the huge kitchen-sink of bringing SPHINCS into the bitcoin consensus layer, just for it to be barely ever used?

On the other hand, if this PQ fallback opcode is used a LOT, then we stand to save a LOT of witness space by biding our time and seeing where the cards fall on the landscape of many-time post-quantum signatures, rather than committing to huge SPHINCS signatures today.

Hey @Matt Corallo, I can't reply on google groups but you should check out my article on hash-based signatures and my DASK proposal, it's very similar to your idea, in the way clients can opt into future quantum resistance without any consensus changes.

https://conduition.io/cryptography/quantum-hbs/#Upgrading-Bitcoin

I chose a different mechanism for my approach. Instead of an opcode in a tapscript leaf, DASK uses a PQ signature scheme pubkey as an secp256k1 secret key, and assumes future PQ bitcoin clients will validate against that PQ pubkey.

I think your proposal has a major benefit over mine in that it makes soft-fork compliance way easier. My DASK idea seems like it would need a hard fork on Q-Day, but yours would seem to be fully compatible with old clients. Big props 🎉

One idea from my post which I think you might want to consider copying is: Instead of committing to a SPHINCS key on-chain, commit to a hash-based certification key with shorter signatures, like WOTS.

Yes, it's a one-time signature scheme so we can't reuse the key, but we can be pretty sure than post-quantum cryptography will progress a long way in the coming decades, and we can use that one-time signature (which we are highly confident is secure today) to endorse a post-quantum key for a signature algorithm that might not exist yet, or that might exist today but that we don't know is secure, like Kyber.

Your opcode soft-fork would have to specify the exact validation semantics later, but the WOTS authentication key has already been committed to, so the coins are safe.

@waxwing I got the proving time for the PTLC/HTLC bridging (AKA discrete log is preimage) down to 20 seconds with RISC0. Fast enough to be viable in some real applications i think!

I'm polishing the code up now. Would you be interested in participating in a real-world PTLC/HTLC bridge test?

Article fixed, now I'm assuming transparent setup ZKPs only (e.g. STARKs). Thanks for pointing this out 😄

Great catch, thank you! Will fix this

ahah! I was sure someone must've thought of this idea before me, but I didn't have the right search terms. "ZKCP". This is great background reading, thank you @waxwing!

Interesting to learn that the SNARK setup is more sensitive than I had thought. I'll be sure to correct my article to reference the original idea and fix the flaw which I unwittingly duplicated.

As for performance, so far I've only tested the PTLC-bridging program here shown in this section: https://conduition.io/bitcoin/zkpreimage/#Optimizing

With that, it took 3 minutes to generate a proof with the RISC0 STARK prover. Not great but also not completely impractical. I'd like to test other prover programs too