{"type":"rich","version":"1.0","title":"Matt Corallo [ARCHIVE] wrote","author_name":"Matt Corallo [ARCHIVE] (npub1e4…jxmcu)","author_url":"https://yabu.me/npub1e46n428mcyfwznl7nlsf6d3s7rhlwm9x3cmkuqzt3emmdpadmkaqqjxmcu","provider_name":"njump","provider_url":"https://yabu.me","html":"📅 Original date posted:2021-03-15\n📝 Original message:Right, you can avoid the storage cost at the cost of significantly higher CPU usage, plus lack of ability to \nbatch-validate. As Robert pointed out in a neighboring mail, it also reduces ability to do other, fancier, protocols \nusing the fact that public keys are now a public part of a script_pubkey.\n\nOverall, the tradeoffs here seem ludicrous, given that any QC issues in Bitcoin need to be solved in another way, and \ncan't practically be solved by just relying on the existing hash indirection.\n\nMatt\n\nOn 3/15/21 18:40, Jeremy wrote:\n\u003e I think Luke is pointing out that with the Signature and the Message you should be able to recover the key.\n\u003e \n\u003e if your address is H(P) and the message is H(H(P) || txn), then the you can use the public H(P) and the signature to \n\u003e recover the PK and verify that H(P) == P (I think you then don't even have to check the signature after doing that).\n\u003e \n\u003e Therefore there is no storage benefit.\n\u003e \n\u003e For the script path case, you might have to pay a little bit extra though as you'd have to reveal P I think? But perhaps \n\u003e that can be avoided another way...\n\u003e --\n\u003e @JeremyRubin \u003chttps://twitter.com/JeremyRubin\u003e\u003chttps://twitter.com/JeremyRubin\u003e\n\u003e \n\u003e \n\u003e On Mon, Mar 15, 2021 at 3:06 PM Matt Corallo via bitcoin-dev \u003cbitcoin-dev at lists.linuxfoundation.org \n\u003e \u003cmailto:bitcoin-dev at lists.linuxfoundation.org\u003e\u003e wrote:\n\u003e \n\u003e     There have been many threads on this before, I'm not sure anything new has been brought up here.\n\u003e \n\u003e     Matt\n\u003e \n\u003e     On 3/15/21 17:48, Luke Dashjr via bitcoin-dev wrote:\n\u003e      \u003e I do not personally see this as a reason to NACK Taproot, but it has become\n\u003e      \u003e clear to me over the past week or so that many others are unaware of this\n\u003e      \u003e tradeoff, so I am sharing it here to ensure the wider community is aware of\n\u003e      \u003e it and can make their own judgements.\n\u003e \n\u003e     Note that this is most definitely *not* news to this list, eg, Anthony brought it up in \"Schnorr and taproot (etc)\n\u003e     upgrade\" and there was a whole thread on it in \"Taproot: Privacy preserving switchable scripting\". This issue has been\n\u003e     beaten to death, I'm not sure why we need to keep hitting the poor horse corpse.\n\u003e \n\u003e      \u003e\n\u003e      \u003e In short, Taproot loses an important safety protection against quantum.\n\u003e      \u003e Note that in all circumstances, Bitcoin is endangered when QC becomes a\n\u003e      \u003e reality, but pre-Taproot, it is possible for the network to \"pause\" while a\n\u003e      \u003e full quantum-safe fix is developed, and then resume transacting. With Taproot\n\u003e      \u003e as-is, it could very well become an unrecoverable situation if QC go online\n\u003e      \u003e prior to having a full quantum-safe solution.\n\u003e \n\u003e     This has been discussed ad nauseam, and it all seems to fall apart once its noted just how much Bitcoin could be stolen\n\u003e     by any QC-wielding attacker due to address reuse. Ultimately, no \"pause\" can solve this issue, and, if we learned about\n\u003e     a QC attacker overnight (instead of slowly over time), there isn't anything that a non-Taproot Bitcoin could do that a\n\u003e     Taproot Bitcoin couldn't.\n\u003e \n\u003e      \u003e Also, what I didn't know myself until today, is that we do not actually gain\n\u003e      \u003e anything from this: the features proposed to make use of the raw keys being\n\u003e      \u003e public prior to spending can be implemented with hashed keys as well.\n\u003e      \u003e It would use significantly more CPU time and bandwidth (between private\n\u003e      \u003e parties, not on-chain), but there should be no shortage of that for anyone\n\u003e      \u003e running a full node (indeed, CPU time is freed up by Taproot!); at worst, it\n\u003e      \u003e would create an incentive for more people to use their own full node, which\n\u003e      \u003e is a good thing!\n\u003e \n\u003e     This is untrue. The storage space required for Taproot transactions is materially reduced by avoiding the hash\n\u003e     indirection.\n\u003e \n\u003e      \u003e Despite this, I still don't think it's a reason to NACK Taproot: it should be\n\u003e      \u003e fairly trivial to add a hash on top in an additional softfork and fix this.\n\u003e \n\u003e     For the reason stated above, i think such a fork is unlikely.\n\u003e \n\u003e      \u003e In addition to the points made by Mark, I also want to add two more, in\n\u003e      \u003e response to Pieter's \"you can't claim much security if 37% of the supply is\n\u003e      \u003e at risk\" argument. This argument is based in part on the fact that many\n\u003e      \u003e people reuse Bitcoin invoice addresses.\n\u003e      \u003e\n\u003e      \u003e First, so long as we have hash-based addresses as a best practice, we can\n\u003e      \u003e continue to shrink the percentage of bitcoins affected through social efforts\n\u003e      \u003e discouraging address use. If the standard loses the hash, the situation\n\u003e      \u003e cannot be improved, and will indeed only get worse.\n\u003e \n\u003e     I truly wish this were the case, but we've been beating that drum for at least nine years and still haven't solved it.\n\u003e     Worse, there's a lot of old coins that are unlikely to move any time soon that are exposed whether we like it or not.\n\u003e \n\u003e      \u003e Second, when/if quantum does compromise these coins, so long as they are\n\u003e      \u003e neglected or abandoned/lost coins (inherent in the current model), it can be\n\u003e      \u003e seen as equivalent to Bitcoin mining. At the end of the day, 37% of supply\n\u003e      \u003e minable by QCs is really no different than 37% minable by ASICs. (We've seen\n\u003e      \u003e far higher %s available for mining obviously.)\n\u003e \n\u003e     Except its not? One entity would be able to steal that entire block of supply rather quickly (presumably over the\n\u003e     course\n\u003e     of a few days, at maximum), instead of a slow process with significant upfront real-world cost in the form of\n\u003e     electricity.\n\u003e     _______________________________________________\n\u003e     bitcoin-dev mailing list\n\u003e     bitcoin-dev at lists.linuxfoundation.org \u003cmailto:bitcoin-dev at lists.linuxfoundation.org\u003e\n\u003e     https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev\n\u003e     \u003chttps://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev\u003e\n\u003e"}