110 sats \ 12 replies \ @kristapsk 6 Nov 2023 \ on: Response to 1,000+ Qubit Quantum: The End of Cryptocurrency bitcoin
Assuming that powerful enough QCs actually work, with low enough error rate, this actually makes a lot of shitcoins safe as nobody will care to attack them.
Note that Taproot (P2TR) addresses does not use hashing, it's pay to public key again.
I haven’t used taproot addresses yet myself but my understanding is that bech32m, just like bech32, uses sha256 and ripemd160 hashing steps on the public key as well: https://en.bitcoin.it/wiki/Bech32
reply
Bech32m is the address format used to encode the output script of Pay to Taproot outputs on the user layer. Addresses don’t appear on the blockchain, in transactions, or in output scripts.
The output script for P2TR outputs consists only of the witness version and the witness program, and the witness program is an x-only secp256k1 pubkey. When a P2TR output is spent via the keypath, the witness stack only needs a signature. So no, most P2TR outputs would not protected by hashes, just as @kristapsk already stated above.
The exception would be if you made the keypath unusable, because spending via the scriptpath requires a control block that commits to the leafscript via a Merkle branch in the scriptree since the Merkle tree involves hashing.
reply
Address types and encoding are different things. First you create data to encode, then you encode it.
P2PKH (1...) and P2SH (3...) are different address types, but both use Base58Check encoding. For SegWit v0 (bc1q...) addresses bech32 encoding is used, but P2WPKH and P2WSH uses different hashing algos before doing bech32 encoding (SHA256+RIPEMD160 vs just SHA256, that's why different length of addresses). For SegWit v1 (bc1p...) currently only address type is P2TR and there just Schnorr (not ECDSA) pubkey is encoded using bech32m.
Using Schnorr signatures and not hashing pubkey is what allows to do these various Taproot tricks like having complicated smart contracts that look on a blockchain just like plain single pubkey.
reply
The pubkeys don’t change between ECDSA or Schnorr, they are just curve points on
secp256k1 in either case. Just the signature is different, and the respective output type requires one or the other in the witness stack for spending.reply
Yes, you are correct here.
reply
The question is whether or not the requirements for an attack change/simplify if you only know the bc1 address.
reply
Clearly I’m going to have to dig into taproot more :) thanks for the extra info.
reply
What about bc1q (native SegWit) addresses? Are they safe?
reply
Native segwit still uses the same hashing steps mixed with some other easier to reverse steps: https://en.bitcoin.it/wiki/Bech32
reply
I would not say pay to pubkey isn't safe at least currently too, but, yes, bc1q is either P2WPKH (pay to witness public key hash) or P2WSH (pay to witness script hash), so has the same security as 1... (P2PKH) and 3... (P2SH) addresses.
reply
clearly pay to pubkey is still currently safe or there would be 4 million bitcoin getting stolen out from those vulnerable addresses :)
The cost to attack vs the value of the target is the most important metric. If the shitcoins have enough swappable value, they will be attacked as well--and actually maybe easier targets because most people won't care if some random crypto gets hacked--the bitcoin crowd won't necessarily think we've hit a point where these attacks are possible, so if I were an attacker, I'd probably start liquidating alts before hitting bitcoin.
reply
That's an interesting point--and I think why a lot of people use things like DOGE and LTC when bitcoin is hot--it's more below the radar for attacks and scrutiny.
reply