Author: Pieter Wuille 2021-02-11 20:31:13
Published on: 2021-02-11T20:31:13+00:00
In an email conversation between Dr. Maxim Orlovsky and Pieter Wuille, they discussed the need for a dedicated purpose (with new BIP) for BIP340 signatures to avoid key reuse. However, this would only be necessary for a particular way of using keys, such as single-key pay-to-taproot. Additionally, if one wants to maintain provable security for both ECDSA and BIP340, the keys used for each should be separated by a hardened step. But, this is already being done with existing approaches used to prevent key reuse. Dedicated branches can help in the simple case but do not address the problem of preventing key reuse in multiple distinct groups of multisig sets one participates in. To solve this issue, keeping track of the index for participating in what is necessary, which eliminates the need for dedicated purpose-based derivation. Greg Maxwell pointed out that there may be another reason to want non-reuse across ECDSA and BIP340 keys. If someone were to reuse the same keys for both and sign the same message with both, they could potentially leak their private key. However, this is not a concern for Bitcoin transaction signing because the sighash (message) indirectly commits to BIP341 or not, making it impossible to construct colliding messages.
Updated on: 2023-05-21T00:46:30.175706+00:00