Nifty! It certainly meets most of my definition. I like the idea of a pseudo-covenant that only requires a single successful interaction to create and is secure if you find a single honest third-party. clArk is efficient about that because it already has a bunch of third parties in a multisignature who are ready to sign, but it doesn’t add much cost to generalize it:
- Lots of people run signing oracles. For example, a setting which allows every relaying full node to be a signer.
- Alice wants to pay a precommitted transaction tree paying Bob and Carol, like would be possible with CTV. She asks Bob and Carol for a list of oracles and asks each oracle for an ephemeral pubkey (for which each oracle attests ownership).
- Alice aggregates the pubkeys and creates (but does not sign) a transaction paying that aggregate pubkey in a P2TR output. She gives the PSBT to the oracles.
- The oracles create a 1-input, 1-output keypath spend from that PSBT that pays to the transaction tree and gives all the presigned transactions to Alice.
- Alice signs, broadcasts, and gets confirmed her PSBT and gives the presigned transactions to Bob and Carol along with the attestations. As long as at least one oracle signed honestly and destroyed their ephemeral privkeys, the pseudo-covenant is secure.
I think the overhead compared to base CTV is 111 vbytes for the 1-in-1-out transaction plus 18 vbytes (a witness-data signature plus overhead) for each precommitted transaction. Obviously it doesn’t give you the cheap optionality of CTV in tapleaves, but it seems like an adequate solution for many CTV use cases like congestion control, channel factories, and coin pools.