Skip to content
Greg Tonoski edited this page Oct 27, 2024 · 6 revisions

Is this safe to do [using original key-pair - the one without TapTweaking]? In simple cases, yes. BIP341 recommends always tweaking, even when there are no scripts involved, because of interaction with certain other protocols that could be built on top. But if all you're going for is single-key signing, you could in theory get away with using keys untweaked. - https://bitcoin.stackexchange.com/questions/109716/can-you-use-un-tweaked-public-key-with-p2tr

There is the should-type requirement of hardcoded constant "TapTweak" in derivation of a private-public key pair used in a spending path that excludes scripts in the BIP-0341 specification. I think that the requirement is unnecessary or too restrictive. I would suggest replacing the requirement with a cautionary note and leaving an option to derive ("TapTweak") a new key pair to an owner's discretion instead. Reasons:

  1. avoidance/minimisation of a number of hardcoded values (in accordance with commonly accepted best practices);
  2. keeping requirements specification consice and of high relevance to changes in protocol and consensus rules.

Also it may be worth adding an explanatory/warning note that sometimes the described attack in MSDL-pop scenario is not prevented by the proposed "TapTweak" mechanism which is excluded for TapTweaks (t) that exceed SECP256K1_ORDER (regarding the point 23 in Rationale section. i.e. https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#cite_ref-23-0).