taproot – Why is it essential to reveal a bit in a script path spend and examine that it matches the parity of the Y coordinate of Q?

By
CryptoCoin
-
0
3
taproot – Why is it essential to reveal a bit in a script path spend and examine that it matches the parity of the Y coordinate of Q?


As per BIP341 [https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#]:

  1. “First, we outline taproot_tweak_pubkey for 32-byte BIP340 public key arrays. The operate returns a bit indicating the tweaked public key’s Y coordinate in addition to the general public key byte array. The parity bit will likely be required for spending the output with a script path.

  2. That is proven within the “Script validation guidelines” part:

If q ≠ x(Q) or c[0] & 1 ≠ y(Q) mod 2, fail [10]

  1. Following the reference [10]:

“Why is it essential to reveal a bit in a script path spend and examine that it matches the parity of the Y coordinate of Q? The parity of the Y coordinate is critical to raise the X coordinate q to a novel level. Whereas this isn’t strictly mandatory for verifying the taproot dedication as described above, it’s mandatory to permit batch verification. Alternatively, Q might be pressured to have a good Y coordinate, however that might require retrying with totally different inside public keys (or totally different messages) till Q has that property. There isn’t a draw back to including the parity bit as a result of in any other case the management block bit could be unused.”

I perceive (I feel) why storing the parity of the taproot_tweak_pubkey within the Witness’ Management Block “isn’t strictly mandatory” for verifying the validity of a P2TR-Script-Path spend.

  • The spender, who constructed the Witness capable of spend the UTXO;
  • And the verifier (e.g. node), who’s working validation guidelines on that
    transaction;
  • They each assemble the taproot_tweak_pubkey the identical method: Identical
    Merkle Root, identical Inside PubKey, identical Tweak = identical
    taproot_tweak_pubkey.

However, I assume there are nonetheless good safety explanation why checking the parity was added as a validation rule within the P2TR-Script-Path, possibly clarifying this might be useful?

My principal query is why “it’s mandatory to permit batch verification”?

Thanks so very a lot, all of you on the market who take the time to coach us on Bitcoin!

LEAVE A REPLY

Please enter your comment!
Please enter your name here