I see a couple of problems with this construction:
- the T and E must be known at creation time of Phase0 outputs which means that phase0 must contain outputs that can be consolidated to exactly match the T and E CTV output totals.
- this would only be quantum safe if secp256k1 were disabled (NUMS points are spendable by a quantum adversary)
- because of (1) the user cannot direct funds to a new quantum-safe address on withdrawal
I think a modified version of this using CCV instead of TXHASH could resolve issuse (1) and (3). CCV can enforce value flow and embed and extract the CTV reveal spend at spend time rather than creation time, and it can also be used to enforce the escape spend with value flexibility.
With CCV, this would look like a standard vault construct with the exception of the embedded hash and preimage for the reveal-spend.