1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
Return-Path: <gmaxwell@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 02D2310AB
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 23 Jan 2018 13:15:41 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-ua0-f177.google.com (mail-ua0-f177.google.com
[209.85.217.177])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 547782D4
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 23 Jan 2018 13:15:40 +0000 (UTC)
Received: by mail-ua0-f177.google.com with SMTP id x4so279275uaj.11
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 23 Jan 2018 05:15:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:sender:in-reply-to:references:from:date:message-id
:subject:to:cc;
bh=l79MuzIomZjvS08nPj5SKYjjU81TLk48lUP/m5or3uw=;
b=dzRQuM9KRo6bvXwqqQwab29P2K9bVj17GocIwkFqxeM4jf8iCqGSjDEp8wtrsYh2PQ
dO7dItd/H9pVttxC4Fk5Bzd0PuMrsUHTe6jSpjfTIUNcJ8Y5pNM6kSd8LcKmw3TDoUfF
23D9jFFtyLN4GmqN+Ly1dtX+22lsTsMw7XK0cMK3J2j0BtQ41e34pN2q4IxuJSXDszcy
Mb9sRmJ83ZJKGFrVjp67iyQ4iyfZ03GUOmbX059/aEpZ6DOWvF18uOpmBuIrOGso3mfY
r1wI5gU/BVtay1aHnB0fW4q3il7zIAd0yK6KBDE+ubxGF6XXdcyUNQhzebsjGbUPCpt3
iHvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
:date:message-id:subject:to:cc;
bh=l79MuzIomZjvS08nPj5SKYjjU81TLk48lUP/m5or3uw=;
b=TuhdBebMBP5SY0C5j6enWeMyLSV+PuOdv4lYWX2hCICnyVuHv7kLMh6i1jZQ4Rx04r
s3O0urftAcUBA82EICIfDM7+R0WUtwk4O4BCzxmYr3tXSc/ImNTnuCp9bP6jF7Ex1mE9
Wz9D+5Xv2YOJl6c4udokvBHXdm/pmnnwfwYdHxluLC+cHdxR50lPikyiR9uo1fCR9OSi
XNrMGK88+GeDrRDFO+0UxzF6SfKDogFb7Gy4LfJC9OcH4mFFLLH8+YeQkwyiChNiK5bl
vFCL+/c5v5KULNUCElYUmS5wND2yHZsdiZL4vZrF+RZxf3ylScSSmNo/qsoxXrKou13P
51Hw==
X-Gm-Message-State: AKwxytcQ4dNjUdLGox165i4dKnR2rbIpCAQ1dKSYhO+CJE4aaqpTu87s
pV72Amsci7hkrs9sLatNVDTwuKZqKa8Xe9T0QEM=
X-Google-Smtp-Source: AH8x226mNfsqi5v5gv7EHmknPg2cxixVu7+oc0PSle1CWOgj4EENcWrFL5SBe80G/+ExMMVXEiddi/w5P5hbGCbokTE=
X-Received: by 10.159.49.3 with SMTP id m3mr1521994uab.92.1516713339386; Tue,
23 Jan 2018 05:15:39 -0800 (PST)
MIME-Version: 1.0
Sender: gmaxwell@gmail.com
Received: by 10.103.78.155 with HTTP; Tue, 23 Jan 2018 05:15:38 -0800 (PST)
In-Reply-To: <20180123064419.GA1296@erisian.com.au>
References: <CAAS2fgTXg5kk6TyUM9dS=tf5N0_Z-GKVmzMLwTW1HxUgrqdo+Q@mail.gmail.com>
<20180123064419.GA1296@erisian.com.au>
From: Gregory Maxwell <greg@xiph.org>
Date: Tue, 23 Jan 2018 13:15:38 +0000
X-Google-Sender-Auth: cd6ddmpTUEfryIY9HIsSCqLGO4Y
Message-ID: <CAAS2fgSy8qg71M6ZOr=xj=W6y2Jbz8hwygZOUYv-Brkt0JwVaQ@mail.gmail.com>
To: Anthony Towns <aj@erisian.com.au>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, FREEMAIL_FROM,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Taproot: Privacy preserving switchable scripting
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jan 2018 13:15:41 -0000
On Tue, Jan 23, 2018 at 6:44 AM, Anthony Towns <aj@erisian.com.au> wrote:
> Is this really intended as paying directly to a pubkey, instead of a
> pubkey hash?
>
> If so, isn't that a step backwards with regard to resistance to quantum
> attacks against ECC?
You're reading too much into a description of the idea. It's not a BIP
or a spec; I tried to provide enough details to make the general idea
concrete. I didn't dive into details or optimizations (for example,
you can use this with a "no EC redemption path" by special casing
empty C as the point at infinity, and you'd have an output that was
indistinguishable until spend... yadda yadda).
Considering the considerable level of address reuse -- I recall prior
stats that a majority of circulating funds are on addresses that had
previously been used, on top of the general race limitations-- I am
now dubious to the idea that hashing provides any kind of meaningful
quantum resistance and somewhat regret introducing that meme to the
space in the first place. If we considered quantum resistance a
meaningful concern we should address that specifically. --- so I
don't think that should be a factor that drives a decision here.
When collision resistance is needed (as I think it clearly is for
taproot) you don't get a space savings in the txout from hashing, so
there is an argument to use the public key directly at least... but
it's worth considering. Direct SPK use is also adventitious for being
able to efficiently ZKP over the UTXO set, e.g. for private solvency
proofs, but it isn't absolutely mandatory for that (one can hash
inside the proof, but it's slower).
|