--- Log opened Sun Feb 05 00:00:36 2023
05:38 < josie> w0xlt, RubenSomsen: how do you feel about removing support for P2PK,P2MS from the draft PR for silent payments? seems like it would make the implementation much simpler and faster
05:42 < josie> looking at https://transactionfee.info/charts/output-type-distribution-count/, p2pk and p2ms are both 0% of outputs, so it doesn't really seem worth it to me to have the added complexity for outputs that will likely never be used. additionally, in the rare event someone has p2pk and p2ms outputs that they want to spend using silent payments, they could just send the coins to a newer output
05:42 < josie> type first
05:45 < josie> thinking out loud here, if we remove them from the scanning, we would have to also remove them from the spec, otherwise a different wallet implementation could send you a silent payment using p2ms,p2pk and you would miss it
05:47 < josie> so the question really is: should we remove p2pk,p2ms from the spec for silent payments? im leaning towards yes, but interested to hear what others think 
06:04 < josie> although, this could make collaborative protocols more fragile.. for example, you wouldn't be able to send to an SP address in a coinjoin if someone else in the coinjoin is using a p2pk output 
06:17 < josie> actually, nvm. we even if we got rid of p2pk, p2ms we would still have to lookup the prevout for p2tr spends
17:05 < w0xlt> josie: Yes I agree. In PR, currently P2PK is commented out as //TODO and P2MS is not an accepted input in silent payments.
17:07 < w0xlt> --
17:08 < w0xlt> Just confirming: at https://gist.github.com/RubenSomsen/c43b79517e7cb701ebf77eec6dbb46b8?permalink_comment_id=4113518#gistcomment-4113518 it says `Instead of X' = hash(x*I,txid,index)*G+X we can do X' = hash(x*hash(txid,index)*I)*G + X.` I understand that this scheme adds a multiplication operation and multiplication is expensive. Is this the scheme that the BIP will adopt?
17:09 < sipa> If you have two scalars a, b, and a point P, then (abP) is only negligibly slower than a*P.
17:10 < sipa> Because you compute it as (a*b)*P, and multiplication between two scalars is very fast.
17:18 < w0xlt> Got it. `x*hash(txid,index)` are two scalars (private key and a hash). Thanks for the explanation.
23:59 < josie> w0xlt: another way we could do this is `x || hash(txid,index)` if it turns out that concatenating is significantly faster than multiplication. this means we would first do ECDH (A*b), then concatenate the outpoint hash: (A*b)||hash(txid,index)
--- Log closed Mon Feb 06 00:00:36 2023