[BIP Draft] Witness Version 3: ML-DSA-65 Post-Quantum Key-Path Spending

The discourse surrounding the introduction of a new output type, distinct from P2MR, raises significant concerns and inquiries regarding its design and implementation specifics. The primary question centers on the rationale for adopting an output type that exclusively commits to an ML-DSA key without supporting script trees or other complex spending conditions, closely resembling P2WPKH in its limitations. This design choice notably lacks cryptographic agility, as coins locked to this new witness program are strictly spendable only through ML-DSA. Given the potential vulnerability of ML-DSA to attacks that could compromise coin security, this approach might necessitate a future rescue protocol soft fork, similar to strategies planned for ECC locked coins post-Q Day.

Furthermore, the selection of ML-DSA-65, which offers a 192-bit security level, over the smaller ML-DSA-44 with a 128-bit security parameter, is another point of contention. The latter not only aligns with the classical security level of secp256k1 but also benefits from a smaller size, making the choice of a larger bit security without clear justification puzzling. Additionally, if ML-DSA is implemented without any witness discounts, it would lead to a substantial reduction in transactions per second (TPS), posing serious scalability issues for the network.

Comparatively, alternative cryptographic schemes such as SLH-DSA or stateful hash-based schemes like XMSS present options that offer similar or better efficiency in terms of key and signature size while avoiding new cryptographic assumptions. Hash-based signatures, in particular, provide smaller and faster signature capabilities without introducing new vulnerabilities, questioning the preference for ML-DSA in the current proposal. These aspects highlight the need for a more thorough justification of the chosen cryptographic parameters and strategies, ensuring they meet the network's security and performance requirements.