As noted in the quote from me from the other thread, I think @jamesob’s vault design is superior from a user’s perspective than presigned vaults. However, it seems to me that users ought to be able to get most of the key benefits using presigned transactions. As such, I’ll play devil’s advocate here.
This is very useful for me to hear and is the type of information that would help change my mind on the desirability of adding vault-specific (or vault-motivated) opcodes.
What is the fundamental difference between an ephemeral key and an ephemeral nonce (the private form of a signature nonce)? If Alice accidentally leaks the private form of a signature nonce for one of her signed transactions, any funds she received to the corresponding key or a related key using public BIP32 derivation can be stolen (as long as those funds haven’t already been spent in a confirmed transaction).
It feels to me like ephemeral keys and ephemeral nonces are really closely related, so any argument that states ephemeral keys aren’t secure enough is an argument that neither ECDSA nor schnorr is secure enough, especially in the presence of address reuse.
I mention this is a clear advantage of consensus-enabled vaults, but now I’m not so sure. IIRC, in the OP_VAULT design, the most-secure-key can spend at any time without any time constraint, so why can’t all of the paths in a presigned transaction vault have a tapleaf that allows spending by the most-secure-key? That way, if something goes wrong, the most-secure-key can be used to recover and coins never become permanently burnt.
That said, I agree it’s still the case that address reuse breaks the vault workflow, so external users can’t be given vault address publicly, requiring an extra hop for any deposits. However, address reuse is also something that’s not generally guaranteed to work—people lose access to old keys from time to time—so the fact that it always doesn’t work for presigned transaction vaults just means we need to work harder on deploying system-wide solutions, such as wallet-enforced address expiry times.
I maintain my previous argument about secure ephemeral key generation being something we have extensive near-experience with. I don’t see a fundamental difference between the difficulty of securely handling ephemeral nonces each time a user spends to securely handling ephemeral keys each time a user needs to receive. I think this is basically a repeat of your first point.
I’m not sure CPFP needs to be used (can sighash flags be used?), but even if it does, presigned vault transactions may be able to have an efficiency advantage over OP_VAULT transactions by the presigned versions being able to use all keypath spends (with BIP68 sequence bits set), whereas OP_VAULT must use scriptpath spends (unless the most-secure-key is used). I think the vbytes difference probably favors the OP_VAULT version there (unless a deep taproot path is used), but I think it makes the comparison less clear cut.
Additionally, I think ephemeral anchors, if deployed, will eliminate the need to use a statically-defined wallet. Instead, any onchain funds will be able to fee bump the vault transaction without introducing pinning risks.
I think this is largely the same problem faced by tens of thousands of LN nodes at present—they must store revoked states robustly but also securely, as any loss and release of that data can cost them money. This is certainly less than ideal, but it hasn’t stopped widespread use of LN.
I’m agreed here, but I think this actually works towards my overall point: if vaults were a highly desired feature, people would be willing to pay more for them and then we could figure out how to optimize them for everyone’s benefit. But if very few people are willing to pay even a marginal increase in fees for vaults, I think that’s an argument that optimizing them is premature.