PQC - What is our Goal, Even?

In a recent discussion on the security implications of address reuse in Bitcoin protocols, significant differences between P2MR (Pay to Merkel Root) and P2TRv2 (Pay to Taproot Version 2) were highlighted, particularly concerning their handling of EC (Elliptic Curve) restrictions. Both output types share similar vulnerabilities when addresses are reused without EC restriction; however, the risk profiles diverge notably under different conditions.

P2MR, despite being less efficient pre-quantum, offers a more secure profile, largely because high-value corporate entities, which hold substantial amounts of bitcoin in cold wallets, are likely to use this format correctly due to self-interest. This behavior minimizes the potential exploitation from address reuse. In contrast, P2TRv2 presents a broader vulnerability, as misuse by even a few can expose all users to risks, regardless of personal adherence to best practices. The assertion is that even if EC spending remains unrestricted, P2MR would still provide superior security thanks to its inherent structure which only exposes individual misusers rather than the entire network.

The scenario where EC spending is restricted equally across both formats changes the landscape, rendering both P2MR and P2TRv2 similarly secure. Under such a condition, address reuse becomes a non-issue since the underlying vulnerability associated with EC paths would be mitigated. However, this requires a soft fork, an additional step that is necessary for P2TRv2 but optional—yet preferable—for P2MR. Given the current usage patterns and historical data indicating that a complete cessation of address reuse is unlikely, prioritizing a protocol inherently more forgiving of human error—like P2MR—seems prudent.

The ongoing debate underscores the importance of strategic protocol selection and development in the Bitcoin community. Contributors and developers are encouraged to engage with proposals like BIP361 to further refine these ideas and ensure robust security measures are in place to protect against both current and emerging threats. The decision of whether or not to implement an EC-restricting soft fork could significantly impact the relative security of different Bitcoin address formats moving forward.