Skip to content

Commit

Permalink
Update bip-0352.mediawiki
Browse files Browse the repository at this point in the history
Co-authored-by: Sebastian Falbesoner <[email protected]>
  • Loading branch information
josibake and theStack authored Mar 14, 2024
1 parent 6b73e87 commit 2857784
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion bip-0352.mediawiki
Original file line number Diff line number Diff line change
Expand Up @@ -242,7 +242,7 @@ The sender uses the private key corresponding to the taproot output key (i.e. th

witness: <optional witness items> <leaf script> <control block>
scriptSig: (empty)
scriptPubKey: 0 <32-byte-x-only-key>
scriptPubKey: 1 <32-byte-x-only-key>
(0x5120{32-byte-x-only-key})
Same as a keypath spend, the sender MUST use the private key corresponding to the taproot output key. If this key is not available, the output cannot be included as an input to the transaction. Same as a keypath spend, the receiver obtains the public key from the ''scriptPubKey'' (i.e. the taproot output key)<ref name="why_always_output_pubkey">''' Why not skip all taproot script path spends? ''' This causes malleability issues for CoinJoins. If the silent payments protocol skipped taproot script path spends, this would allow an attacker to join a CoinJoin round, participate in deriving the silent payment address using the tweaked private key for a key path spend, and then broadcast their own version of the transaction using the script path spend. If the receiver were to only consider key path spends, they would skip the attacker's script path spend input when deriving the shared secret and not be able to find the funds. Additionally, there may be scenarios where the sender can perform ECDH with the key path private key but spends the output using the script path.</ref>.
Expand Down

0 comments on commit 2857784

Please sign in to comment.