delvingbitcoin
Unspendable keys in descriptors
Posted on: December 19, 2023 15:30 UTC
In the realm of cryptographic protocols, particularly those entailing provably unspendable key paths, there's an ongoing discussion about the distinctiveness and implications of script complexity.
Some argue that scripts, due to their inherent intricacies, already function as unique identifiers, much like fingerprints, which are exposed during each transaction. This revelation could be seen as a non-issue in scenarios where the unspendability of the key path is clear and does not constitute an additional breach of privacy.
However, this perspective isn't universally applicable. There are instances where the script only addresses specific conditions, such as a combination of participants who are unable to provide a MuSig signature for a key path. It's plausible that within a script tree, certain scripts are easily identifiable, while others lack this distinguishability. The consensus is that adopting a standard mandating the disclosure of the unspendability of a key path should be avoided to preserve privacy.
Interestingly, even within the constraints set by BIP341 and its suggested $P = H+rG$ scheme, which keeps the scalar $r$ secret, it's possible to demonstrate the unspendability of a key to other contract participants. This can be achieved without revealing the secret value $r$, by generating a BIP340 signature with key $P-H$, which corresponds to the private key $r$. This provides a method for verifying unspendability while maintaining the secrecy of critical components within the protocol.