[bitcoin-dev] Taproot: Privacy preserving switchable scripting

Tim Ruffing tim.ruffing at mmci.uni-saarland.de
Wed Jan 24 09:28:20 UTC 2018


On Wed, 2018-01-24 at 01:52 +0000, Andrew Poelstra via bitcoin-dev
wrote:
> 
> > They are. But I don't believe that is relevant; the attacker would
> > simply steal the coins on spend.
> 
> 
> Then the system would need to be hardforked to allow spending through
> a
> quantum-resistant ZKP of knowledge of the hashed public key. I expect
> that in a post-quantum world there will be demand for such a fork,
> especially if we came into such a world through surprise evidence of
> a discrete log break.
> 

There are simpler ways using consensus / waiting instead of zero-
knowledge, e.g., 

1. Include H(classic_pk, tx) to blockchain, wait until confirmed.
2. Reveal classic_pk, tx

This is taken from my tweet [1] but now I realize that these are
basically Guy Fawkes "signatures" [2]. Joseph Bonneau and Andrew Miller
 [3] had the idea to use this for cryptocurrency without asymmetric
cryptography.

Best,
Tim

[1] https://twitter.com/real_or_random/status/948226830166786048
[2] https://www.cl.cam.ac.uk/~rja14/Papers/fawkes.pdf
[3] http://www.jbonneau.com/doc/BM14-SPW-fawkescoin.pdf



More information about the bitcoin-dev mailing list