Re: Is the proposed BIP 360 the correct way to achieve quantum attack resistance?
I think that's a bad idea as expecting users to understand the tradeoffs between different cryptosystems is fundamentally untenable.
That's an argument I hadn't thought about, thanks for your opinion, I think I agree.I read a bit further through the mailing list thread and the proposer seemingly left the discussion offended, so my reading is that at least in this state the BIP has no chance to become accepted.
It does not solve the problem of existing UTXOs.
I think this is also outside of the scope of a proposal we can do now, in 2025. The idea of BIP360 was simply to provide a migration route. And one can also argue that the existing P2PK/P2MS etc. UTXOs shouldn't be touched at all.Yes, enforcing a proposal, which wouldn't be jpeg resistant, would be hard in practice.
Thanks, interesting thread but a bit difficult for me as a non-cryptographer 
I guess that means that arbitrary data could be stuffed into these signatures?The "commitment space" idea is also interesting.
I think each and every OP_CHECKSIG call should contain an additional commitment. In this way, it will be compatible with existing system, and it will be also aligned with potential attacks.
Looks also interesting but wouldn't this make transactions even heavier?Thinking about that however, would it be possible to combine this approach with the CISA approach, e.g. could the post-quantum signatures be also aggregated in this style? Or is this mechanic ECDSA / Schnorr-only?