--- Log opened Mon Jan 16 00:00:17 2023
09:45 < josie> thinking out loud here, but we should be able to have the spend key be a musig aggregate key, right? meaning the taproot output created by the sender is only spendable by a threshold of signatures. can we also setup the spend key so that it has script spending paths setup as well?
09:48 < RubenSomsen> josie: afaict the only way to preserve a script path is for the sender to know the hash and apply the taproot tweak, and for the recipient to calculate the taproot tweak (i.e. another ECC mult) during scanning
09:54 < josie> RubenSomsen: so it would be correct to say silent payments supports sending to multisig in the case of a keypath spend
09:54 < josie> but for the script path, perhaps too complicated
10:01 < josie> i suppose you could encode the hash in the silent payment address to allow the sender to apply the taproot tweak?
10:02 < josie> but then an outsider observer might be able to link the output to the silent payment address in the event the script path is used when spending
10:04 < RubenSomsen> Yeah I don't think it's practical, done naively it already makes scanning more costly since now you need to also do a taproot tweak to check the output, and your point about privacy is also valid. You could get around that by tweaking all keys in all script paths but that's even more ECC multiplications.
10:09 < RubenSomsen> Well actually no, not more multiplications when you tweak all script paths, but having to reveal all script paths to the sender is already quite messy.
10:11 < josie> yeah, making things more complicated for the sender feels like a no go to me. however, it feels like there could be a use case for a user who is less concerned about the scanning requirement and would also like the ability to receive to a more complicated setup. I'm thinking of an exchange with a static deposit address, or something like that 
10:12 -!- w0xlt [sid555702@id-555702.ilkley.irccloud.com] has quit []
10:12 -!- w0xlt [sid555702@id-555702.ilkley.irccloud.com] has joined #silentpayments
10:36 < RubenSomsen> If you're using a unique script then you already lose privacy by spending from it
10:40 < josie> yep, so if there were a way to allow more unique scripts without it linking the output to the silent payment address, that seems worthwhile for some users? but if links the address to the outputs, then not worth it
15:51 < RubenSomsen> So I think you do actually need one more ECC mult because if A and B are public info, you have a secret Diffie Helman key K, and on-chain you reveal A+K and B+K, you can figure out the relationship by subtracting A and B and finding out this results in K for both keys
15:51 < RubenSomsen> So instead you'll need K1 (key path) and K2 (script path) or even more if your script path contains more than one key
16:03 < RubenSomsen> But even if so, you're still publicly showing all your script paths, so when the script path is used your anonymity set is still taking a hit. It's definitely bad, but I'm also thinking using the script path is *always* bad for privacy.
16:03 < RubenSomsen> As in, even in regular taproot.
--- Log closed Tue Jan 17 00:00:18 2023