On Mon, Mar 15, 2021 at 09:48:15PM +0000, Luke Dashjr via bitcoin-dev wrote: > Also, what I didn't know myself until today, is that we do not actually gain > anything from this: the features proposed to make use of the raw keys being > public prior to spending can be implemented with hashed keys as well. > It would use significantly more CPU time and bandwidth (between private > parties, not on-chain), but there should be no shortage of that for anyone > running a full node (indeed, CPU time is freed up by Taproot!); at worst, it > would create an incentive for more people to use their own full node, which > is a good thing! > "No gain" except to save significant CPU time and bandwidth? As Matt points out there is also a storage hit (unless you want to _really_ waste CPU time by using pubkey recovery, eliminating any hope of batch validation while introducing a new dependency on an algorithm with a very unclear patent story). Having exposed keys also lets you do ring signatures over outputs, creating the ability to do private proof of funds via Provisions. > Despite this, I still don't think it's a reason to NACK Taproot: it should be > fairly trivial to add a hash on top in an additional softfork and fix this. > This would make Bitcoin strictly worse. > In addition to the points made by Mark, I also want to add two more, in > response to Pieter's "you can't claim much security if 37% of the supply is > at risk" argument. This argument is based in part on the fact that many > people reuse Bitcoin invoice addresses. > 37% is a dramatic understatement. Every address which is derived using BIP32 should be assumed compromised to a QC attacker because xpubs are not treated like secret key material and are trivial to e.g. extract from hardware wallets or PSBTs. I expect the real number is close to 100%. In any case, Taproot keys, when used according to the recommendation in BIP-0341, are already hashes of their internal keys, so (a) Taproot outputs actually have better quantum resistance than legacy outputs; and (b) adding another hash would be strictly redundant. -- Andrew Poelstra Director of Research, Blockstream Email: apoelstra at wpsoftware.net Web: https://www.wpsoftware.net/andrew The sun is always shining in space -Justin Lewis-Webster