On Tue, Jan 23, 2018 at 6:44 AM, Anthony Towns <a...@erisian.com.au> wrote: > Is this really intended as paying directly to a pubkey, instead of a > pubkey hash? > > If so, isn't that a step backwards with regard to resistance to quantum > attacks against ECC?
You're reading too much into a description of the idea. It's not a BIP or a spec; I tried to provide enough details to make the general idea concrete. I didn't dive into details or optimizations (for example, you can use this with a "no EC redemption path" by special casing empty C as the point at infinity, and you'd have an output that was indistinguishable until spend... yadda yadda). Considering the considerable level of address reuse -- I recall prior stats that a majority of circulating funds are on addresses that had previously been used, on top of the general race limitations-- I am now dubious to the idea that hashing provides any kind of meaningful quantum resistance and somewhat regret introducing that meme to the space in the first place. If we considered quantum resistance a meaningful concern we should address that specifically. --- so I don't think that should be a factor that drives a decision here. When collision resistance is needed (as I think it clearly is for taproot) you don't get a space savings in the txout from hashing, so there is an argument to use the public key directly at least... but it's worth considering. Direct SPK use is also adventitious for being able to efficiently ZKP over the UTXO set, e.g. for private solvency proofs, but it isn't absolutely mandatory for that (one can hash inside the proof, but it's slower). _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev