I found a discussion about this topic on another thread.
So, if a Taproot address isn’t reused for transactions, how come it’s still considered vulnerable to quantum computers?
Is it possible to view a Taproot address's public key without spending any coins?
15 replies 437 views
cryptobridgeSenior Member
Posts: 221 · Reputation: 1481
#2Sep 12, 2022, 01:21 AM
He is trying to tell you how your Bitcoin isn't safe from Quantum computers if you are using a taproot address to keep Bitcoin for long term.
When you send a transaction to other type of address, like native segwit, legacy and nested segwit, the transactions are visible on the blockchain network but the only thing you can see from the scriptpubkey is only the hash160, the public key will not be visible until the Bitcoin is ready to be spent which must be provided by the spender(both the signature and public key).
The two conditions that can reveal the public key is if you spend the output or spend part of the output. This is why it's not recommended to reused an output, it should be spent once because the public key to that address is already visible.
Contrary to taproots, when an outout is spent the pubkey becomes visible to the public, anyone can see your public key and that's a threat to everyone that are keeping Bitcoin for long term using taproot address.
He is suggesting you move your Bitcoin from taproot address to native segwit address prior to when Quantum solution will be available.
Because the taproot address public key can be known to the public without spending from the address?
You mean if you send bitcoin to recipient taproot address, the recipient address public key will be seen without spending from the taproot address? This is what I am asking.
cryptobridgeSenior Member
Posts: 221 · Reputation: 1481
#4Sep 13, 2022, 02:18 PM
Everything about Quantum computers for now is speculation, all I know is that with your public key, Quantum computer can break the ecdsa to get the corresponding private key. The best practice and measure put in place now is to make sure your public key isn't exposed if you are going to keep Bitcoin for long term, that been said.
When you send a transaction to a taproot address, there is pubkey on the scriptpubkey refered x public key, there is a speculation but mathematical not proven that your funds can be at risk with quantum computer, that's why OP from the other thread is suggesting funds be moved from there to native segwit.
silentchainHero Member
Posts: 473 · Reputation: 2317
#5Sep 13, 2022, 07:35 PM
Taproot address reveals the tweaked public key its x-coordinate, to be exact. The relevant tweak is irreversible operationas it involves hashing, multiplication and addition on EC curve, which means you cannot recover the original internal public key from the tweaked one. Therefore, if you don't spend from Taproot address, there's no reason to worry about your stash even in the face of quantum computers with the technically feasible numbers of entangled qubits (they require cooling to be entangled which in turn requires energy, a lot of energy in fact) which wouldn't be powerful enough to derive the pertaining tweaked private keys because there's no starting point for them to compute or search. In my view the quantum threat is a bit exaggerated.
gr3g.0rbitHero Member
Posts: 1025 · Reputation: 2646
#6Sep 13, 2022, 10:51 PM
It's not apparent if the author is creating an FUD or just took the words in BIP-0341 literally, because that's not true.
To quote the most relevant information in BIP341's "design" that must have been his reference:
He may have done some research and read this part but stopped right at that point.
It's either he left "Constructing and spending Taproot outputs" part unread or failed to understand it.
Taproot doesnt become unsafe just because an address isnt reused. Address reuse affects privacy not quantum safety.
The only moment anything becomes quantum breakable is when you actually spend and reveal the full public key and thats true for P2WPKH and Taproot alike. An unspent Taproot UTXO is no more vulnerable than any other SegWit output.
So no, Taproot isnt less safe unless you reuse it. That part of the tweet is simply wrong.
SwiftMinerSenior Member
Posts: 259 · Reputation: 1036
#8Sep 14, 2022, 07:01 AM
There have been multiple threads on the forum about the risks quantum computing poses to the bitcoin network especially for those that reuse addresses. The problem is not with taproot addresses alone but basically all addresses. Taproot was barely just an upgrade on the network.
Fact is if this quantum computing really becomes an implementable threat then literally everyone in campaigns could be a victim because of address reuse.
It depends what a campaign participant actually does. If I receive multiple UTXOs (aka payments while in a campaign) to the same receiving public address but don't have spent any of the received UTXOs, the public key of my receiving public address remains unknown.
If some future quantum computer attack needs to know the public key, well then good luck to break my receiving address when I'm simply hodling.
I'm aware that what I describe might be viewed as an edge case. The blanket statement that campaign participants are vulnerable to future sophisticated quantum computer attacks is, in my opinion, not in every case correct. You become vulnerable in a "quantum future" when you spend your received coins and continue to receive to the same public address.
SwiftMinerSenior Member
Posts: 259 · Reputation: 1036
#10Sep 15, 2022, 10:57 AM
You do have a solid point and I agree with that. However on the other hand let's play a couple possible case scenarios and use the probability of say out of 100 users how many actually hold the coins they receive from their campaign without spending any of them for a very long of time.
You discover that if we should make use of this analogy then a majority of persons will be a victim to quantum attacks. Nevertheless that doesn't mean all though.
Of course. But you don't need internal public key, to move the coins. For example: what is internal public key here? https://mempool.space/tx/f0e7351b7829826057a984fde7c03d1c67e8235224c5e3791122a072d1e1a3ff
As you can see, nobody knows, or uses any internal public key for some addresses, and coins are still spendable. Which means, that if someone will get the private key to the external public key, visible in the Taproot address, then it is all that is needed, to move these coins anywhere, under the current consensus rules.
Of course, in the future, that may be blocked or restricted (so using untweaked keys is a bad idea), but now it isn't blocked, and it may never be (because then, there is a risk of confiscating some coins; it is a similar case, if someone would want to invalidate old, random P2PK, where HD wallets were not yet used). And claiming, that "all keys have to be tweaked" is a similar thing, as claiming that "everyone have to use HD wallets", which is simply not the case, when it comes to enforced consensus rules.
silentchainHero Member
Posts: 473 · Reputation: 2317
#12Sep 15, 2022, 01:32 PM
Sure, having both the private and public keys allows you to do virtually anything you want.
Regarding untweaked keys, they are from the class of exotic exclusions that some people try to fiddle with rather than being the general rule. Most wallets will not support this.
Yes, but it is not a question, if your wallet supports it or not. It is a question, if attackers will be able to exploit it, if secp256k1 will be broken.
And from the security perspective, your coins are as strong as the weakest link. Which means, that if anyone will ever try to attack, then the external, untweaked key will be attacked, because it is just easier to attack some known public key, than to target some unknown, hashed key.
Also, each address has an untweaked, external key. There are no Taproot addresses, where you can say "I want only internal key, and nothing else". Which means, that if someone will break the external key, then the internal key can be set to whatever, and it wouldn't matter, because the attacker will just use external key to move them.
In the case of an untweaked single-key Taproot output (Q= P) is spending via the key path still fully valid under current consensus ( BIP 341), and does it also require only the schnorr signature with the private key corresponding to Q? Does the internal key even exist meaningful in that scenario, or is it identical to the external key key?
You also mentioned that Nobody knows, or uses any internal public key in practice, for output where the tweak is Zero, how do wallets typically handle key derivatives and signing? Do major wallets for example those using BIP 86) always apply the tweak even for single -key outputs, or is there variation??
There is a topic about tweaking keys: https://bitcointalk.org/index.php?topic=5372405
In general, external keys is what exist on-chain. This is what is visible in UTXOs, this is what is used to make signatures, and so on.
And then, internal key is just an abstraction, similar to HD wallets: you can start from a private key, calculate a matching public key, and use it directly, or you can go further, and add some value to that public key, like HD wallets do, and generate a different key out of it.
The external key is always used, if you spend Taproot address by key. The internal key is needed mainly for TapScript, because then, you reveal your internal key, without signing it, and you use TapScript, to actually move the coins.
By default, wallets use tweaked keys, because they are safer (in a similar way, as HD wallets are safer, than using random keys). However, from the consensus point of view, you only have coins spent by key, where the external key is used, or coins spent by TapScript, where the internal key is revealed, without being signed at all, and then the TapScript decides, where coins should go.
In general, the internal key is what is needed to go from spending by key, into spending by TapScript. Which means, that if you can get the private key to the external key, then you can always move coins by key, even if you don't know the internal key. Which is why if secp256k1 will be broken, then all attackers could simply spend all P2TR outputs by key, and not care about the underlying TapScript at all. The only exception to that, is if some public key is invalid, but then, nobody can move it.
Is there a better way to Explain why knowing the private key corresponding to this external (tweaked) public key q allows an attacker to bypass the trap root script path entirely and spend the output directly via the key path, even if they have no knowledge of the internal key p or the scripts.
Related topics
- Bitcoin Core displaying coins (UTXOs) in a new tab 13
- Erlay seems to have some issues here’s a better proposal for a bitcoin protocol without invites 3
- Need Help! Funds Gone / Wrong Address 10
- Vanitygen: Create Your Own Bitcoin Address with This Tool 19
- Are you in favor of BIP-110? Let's get a Bitcoin poll going. 0
- New Optional Hourglass Implementation is Live 3