delvingbitcoin

Unspendable keys in descriptors

Unspendable keys in descriptors

Original Postby josibake

Posted on: December 19, 2023 14:49 UTC

Unspendable keys, which are designed to be unutilizable for transactions, should appear indistinguishable from any random key to an external observer.

This characteristic is considered desirable due to its potential application in various protocols that necessitate a provably unspendable keypath. An instance of such usage is found in BIP352, pertaining to silent payments, where the standardization of H (a public nothing-up-my-sleeve number) is advocated to ensure provable unspendability within the protocol.

Proponents argue that having a standard public NUMS contributes to the simplicity and efficiency of constructing protocols that require an unspendable keypath. The use of a well-known NUMS can facilitate easier verification and implementation across different platforms and applications by providing a common reference point. However, questions remain about the implications of adopting a standard NUMS in all scenarios.

The inquiry into whether there are situations where utilizing a standard public NUMS might not be desirable invites consideration of potential counter-examples. Such scenarios could include cases where the predictability of a standard NUMS could inadvertently introduce vulnerabilities or diminish privacy. Therefore, while recognizing the benefits of standardization, it is also critical to evaluate each use case on its own merits to determine the appropriateness of employing a standard public NUMS.