Sorry looks like I forgot to crosspost this reply to list:<br /><br />Hi Sjors, list:<br /><br />&gt; I brought this up [0], but it was later pointed out to me that it doesn't work<br /> <br /><br />Oh yes, doh. That's most unfortunate. While this is getting silly, I can't help wondering what happens, in the presence of an ECDLP breaker, to a botched version of taproot that requires script-path spending and doesn't allow key-path.<br /><br />It's interesting, imagine: honest keyholder creates Q = P_N + H(P_N||S)G where P_N means NUMS internal key. ECDLP breaker can just find DL of Q but if we disallow key-path spend they have to open a hash commitment to a tweak as per usual taproot rules.<br /><br />So they need: Q = P_2 +H(P_2||S_2)G now, they know the full private key x_N + H(P_N||S) for Q (and they may or may not know S, or be able to guess it, to get all the variables in that expression), but it seems to not help them given the commitment to P_2 in the hash, requiring them to choose P_2 before the hash.<br /><br />They could of course do it with P_N itself, if that were allowed, hence the "disable NUMS" might make sense, in this scenario. Can't say I'm 100% sure of myself here, but it looks like that works.<br /><br />Even if I'm right, it's not so interesting; we already are assuming that a quantum attacker can't break hashes, that's behind a lot of the discussion here, so of course it would make sense if we broke taproot to require it only to use hashes (script path only), then it might come back to the same security situation (which of course, is not actual security, since keys are always revealed in spending). Or maybe we should start to think of really, really worst case scenarios: what if a new quantum algorithm actually does efficiently find SHA2 preimages? :)<br /><br />Thanks, AdamISZ/waxwing<br /><br /><div><br /></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoindev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href="https://groups.google.com/d/msgid/bitcoindev/84ae7e2c-eb71-44fa-b3da-27731802f47an%40googlegroups.com?utm_medium=email&utm_source=footer">https://groups.google.com/d/msgid/bitcoindev/84ae7e2c-eb71-44fa-b3da-27731802f47an%40googlegroups.com</a>.<br />