> Unless you assume that there are CRQC

And your signer's `k` generator is properly implemented a la RFC 6979.

optimism

BIP 322 basically creates a fake transaction and uses the signatures on that transaction to attest that the owner controls these UTXOs. For hash-based output scripts the inputs must reveal the corresponding input script for the signatures to be verifiable.

Personally, I’m still convinced that we will not see any CRQC in the next four decades, and therefore I don’t find it concerning to show public keys. Unless you assume that there are CRQC, public keys being public is not an issue.

bitcoin

BIP322 Message Verification for Signing Devices - orangesurf

Scoresby

BIP 322 basically creates a fake transaction and uses the signatures on that transaction to attest that the owner controls these UTXOs. For hash-based output scripts the inputs must reveal the corresponding input script for the signatures to be verifiable.

Personally, I’m still convinced that we will not see any CRQC in the next four decades, and therefore I don’t find it concerning to show public keys. Unless you assume that there are CRQC, public keys being public is not an issue.