So have I got this right:
Given C_F, the “functional encryption” and C_p, it allows anyone to create a signature for only the specified transaction for a given tweaked key.
So the flow is like:
- C_F and C_p are created by the owner of (m,M) and (p,P)
- m and p are deleted
- Then anyone could calculate a covenant output destination pubkey as a tweak of P + Hash(tx)
- They would know that the only way it can be signed over is by doing \sigma = C_F(C_p, Encrypt(M, TX)). Of course anyone could do that but that’s no different than today, we know how to lock with additional conditions in Script
The point being that this process is repeatable, for any transaction so it doesn’t require statically signing in advance, expecting certain outcomes.