[bitcoin-dev] Taproot: Privacy preserving switchable scripting
Tim Ruffing
tim.ruffing at mmci.uni-saarland.de
Wed Jan 24 09:28:20 UTC 2018
On Wed, 2018-01-24 at 01:52 +0000, Andrew Poelstra via bitcoin-dev
wrote:
>
> > They are. But I don't believe that is relevant; the attacker would
> > simply steal the coins on spend.
>
>
> Then the system would need to be hardforked to allow spending through
> a
> quantum-resistant ZKP of knowledge of the hashed public key. I expect
> that in a post-quantum world there will be demand for such a fork,
> especially if we came into such a world through surprise evidence of
> a discrete log break.
>
There are simpler ways using consensus / waiting instead of zero-
knowledge, e.g.,
1. Include H(classic_pk, tx) to blockchain, wait until confirmed.
2. Reveal classic_pk, tx
This is taken from my tweet [1] but now I realize that these are
basically Guy Fawkes "signatures" [2]. Joseph Bonneau and Andrew Miller
[3] had the idea to use this for cryptocurrency without asymmetric
cryptography.
Best,
Tim
[1] https://twitter.com/real_or_random/status/948226830166786048
[2] https://www.cl.cam.ac.uk/~rja14/Papers/fawkes.pdf
[3] http://www.jbonneau.com/doc/BM14-SPW-fawkescoin.pdf
More information about the bitcoin-dev
mailing list