pay to contract hash

[adiabat]

Pay to contract hash would be a great replacement for op_return here

Will detail it later (bug me if I don't :)

[adiabat]

The "taproot equation" I think was initially called "pay to contract hash" and I think made by @apoelstra. The equation is
Q = P + h(P, m)G
where P is a normal public key you created (and know the discrete log of), m is some message you want to commit to, G is the generator, and Q is a resulting public key.
You can sign with Q directly. If your private key for P was x, just compute
q = x + h(P, m)
and use little q to sign for big Q.

m can be some hash that would otherwise go into an op_return output. If you put m into your pubkey and send coins to that address, you can then prove that m has been committed to by providing P, m and I guess an SPV proof to the tx. The verifier computes Q = P + h(P, m)G and then checks that h(Q) = addr. This is a little bigger than a proof with op_return because you have to give P. But really, it's no bigger because they were going to have to download a public key hash anyway because there would be a change output in the tx, not just an op_return.

This is nice because it reduces the size of the transaction, and gives you a "stealth" commitment; without P, nobody knows that there's a commitment at all. If you want to put a bunch of proofs in every day or week or whatever, you can have a chain of 1-in 1-out txs, all with different addresses, but all sharing the same pubkey P. But that doesn't let you figure out what m is from just looking at the txs; m has to be provided to the verifier.

Note that you can do the same thing in the signature with the R point. So you get 2 commitments each transaction. It seems more complex to deal with signing code rather than pubkey / address code, but maybe not? I can't see any use for having both at the same time since 32 bytes should be enough for anybody :)