Can you see Taproot address public key without spending coins on the address

[Karl_3000]

I saw something similar on this thread: https://bitcointalk.org/index.php?topic=5565334.msg66042914#msg66042914

DUMMIES GUIDE TO BEING QUANTUM SAFE.

In the past it was about protecting your PRIVATE KEY (your seed phrase). In the age of big scary quantum computers (BSQC) that are coming, you need to protect your PUBLIC KEY also.

Basically a BSQC can figure out your private key from a public key.

The present day taproot addresses (the latest format) are NOT safe, these are addresses starting with "bc1p" and they embed the public key into the address, not good.

Prior formats hide the public key behind a hash, so a BSQC can't easily crack it.

Do this:

1) create a new segwit wallet. It will start with "bc1q" (NOT "bc1p"), you can use older formats too like ones starting with "1" and "3"

2) send all your BTC into this new address

3) you can continue to stack sats into this new address

4) NEVER send BTC out of it, once you do you're BSQC hackable because your public key is revealed

5) wait for Bitcoin to upgrade to a quantum safe protocol, this may take 7 years, who knows

6) send your BTC into the new quantum safe address when the network is NOT congested, once you send, you reveal the private key for a short time. It's unlikely a BSQC will steal your coins in that short window

Some ramifications:

All the BTC sitting in ETFs, Treasury companies, and exchange cold storage can be quantum resistant if the custodians take action, even before BTC soft forks into a quantum resistant protocol.

Wallet Apps can also take appropriate action (making sure any spend from an address also moves remaining coins to a new non-taproot address).

Satoshi's 1M coins using an ancient P2PK address will be stolen (unless a future softfork freezes them). So are lost coins in addresses where there's past spending activity.
The general consensus between BTC experts is 2030 onwards as the timeframe when BSQC may come, aka “Q-Day”.

What's your take on all his explanations concerning the quantum attack day?

How is taproot address not safe against quantum computers if it is not resused for transaction?

[Cookdata]

How is taproot address not safe against quantum computers if it is not resused for transaction?

He is trying to tell you how your Bitcoin isn't safe from Quantum computers if you are using a taproot address to keep Bitcoin for long term.

When you send a transaction to other type of address, like native segwit, legacy and nested segwit, the transactions are visible on the blockchain network but the only thing you can see from the scriptpubkey is only the hash160, the public key will not be visible until the Bitcoin is ready to be spent which must be provided by the spender(both the signature and public key).

The two conditions that can reveal the public key is if you spend the output or spend part of the output. This is why it's not recommended to reused an output, it should be spent once because the public key to that address is already visible.

Contrary to taproots, when an outout is spent the pubkey becomes visible to the public, anyone can see your public key and that's a threat to everyone that are keeping Bitcoin for long term using taproot address.

He is suggesting you move your Bitcoin from taproot address to native segwit address prior to when Quantum solution will be available.

[Karl_3000]

How is taproot address not safe against quantum computers if it is not resused for transaction?

He is trying to tell you how your Bitcoin isn't safe from Quantum computers if you are using a taproot address to keep Bitcoin for long term.

Because the taproot address public key can be known to the public without spending from the address?

When you send a transaction to other type of address, like native segwit, legacy and nested segwit, the transactions are visible on the blockchain network but the only thing you can see from the scriptpubkey is only the hash160, the public key will not be visible until the Bitcoin is ready to be spent which must be provided by the spender(both the signature and public key).

You mean if you send bitcoin to recipient taproot address, the recipient address public key will be seen without spending from the taproot address? This is what I am asking.

[Cookdata]

When you send a transaction to other type of address, like native segwit, legacy and nested segwit, the transactions are visible on the blockchain network but the only thing you can see from the scriptpubkey is only the hash160, the public key will not be visible until the Bitcoin is ready to be spent which must be provided by the spender(both the signature and public key).

You mean if you send bitcoin to recipient taproot address, the recipient address public key will be seen without spending from the taproot address? This is what I am asking.

Everything about Quantum computers for now is speculation, all I know is that with your public key, Quantum computer can break the ecdsa to get the corresponding private key. The best practice and measure put in place now is to make sure your public key isn't exposed if you are going to keep Bitcoin for long term, that been said.

When you send a transaction to a taproot address, there is pubkey on the scriptpubkey refered x public key, there is a speculation but mathematical not proven that your funds can be at risk with quantum computer, that's why OP from the other thread is suggesting funds be moved from there to native segwit.

[satscraper]

You mean if you send bitcoin to recipient taproot address, the recipient address public key will be seen without spending from the taproot address? This is what I am asking.

Taproot address reveals the tweaked public key ^{its x-coordinate, to be exact}. The relevant tweak is irreversible operation^{as it involves hashing, multiplication and addition on EC curve}, which means you cannot recover the original internal public key from the tweaked one. Therefore, if you don't spend from Taproot address, there's no reason to worry about your stash even in the face of quantum computers with the technically feasible numbers of entangled qubits ^{(they require cooling to be entangled which in turn requires energy, a lot of energy in fact)} which wouldn't be powerful enough to derive the pertaining tweaked private keys because there's no starting point for them to compute or search. In my view the quantum threat is a bit exaggerated.

[nc50lc]

The present day taproot addresses (the latest format) are NOT safe, these are addresses starting with "bc1p" and they embed the public key into the address, not good.

How is taproot address not safe against quantum computers if it is not resused for transaction?

It's not apparent if the author is creating an FUD or just took the words in BIP-0341 literally, because that's not true.

To quote the most relevant information in BIP341's "design" that must have been his reference:

The public key is directly included in the output in contrast to typical earlier constructions which store a hash of the public key or script in the output. This has the same cost for senders and is more space efficient overall if the key-based spending path is taken.

He may have done some research and read this part but stopped right at that point.
It's either he left "Constructing and spending Taproot outputs" part unread or failed to understand it.

[Donneski]

Taproot doesn’t become unsafe just because an address isn’t reused. Address reuse affects privacy not quantum safety.

The only moment anything becomes “quantum breakable” is when you actually spend and reveal the full public key and that’s true for P2WPKH and Taproot alike. An unspent Taproot UTXO is no more vulnerable than any other SegWit output.

So no, Taproot isn’t less safe unless you reuse it. That part of the tweet is simply wrong.

[Mia Chloe]

How is taproot address not safe against quantum computers if it is not resused for transaction?

There have been multiple threads on the forum about the risks quantum computing poses to the bitcoin network especially for those that reuse addresses. The problem is not with taproot addresses alone but basically all addresses. Taproot was barely just an upgrade on the network.

Fact is if this quantum computing really becomes an implementable threat then literally everyone in campaigns could be a victim because of address reuse.

[Cricktor]

Fact is if this quantum computing really becomes an implementable threat then literally everyone in campaigns could be a victim because of address reuse.

It depends what a campaign participant actually does. If I receive multiple UTXOs (aka payments while in a campaign) to the same receiving public address but don't have spent any of the received UTXOs, the public key of my receiving public address remains unknown.

If some future quantum computer attack needs to know the public key, well then good luck to break my receiving address when I'm simply hodling.

I'm aware that what I describe might be viewed as an edge case. The blanket statement that campaign participants are vulnerable to future sophisticated quantum computer attacks is, in my opinion, not in every case correct. You become vulnerable in a "quantum future" when you spend your received coins and continue to receive to the same public address.

[Mia Chloe]

I'm aware that what I describe might be viewed as an edge case. The blanket statement that campaign participants are vulnerable to future sophisticated quantum computer attacks is, in my opinion, not in every case correct. You become vulnerable in a "quantum future" when you spend your received coins and continue to receive to the same public address.

You do have a solid point and I agree with that. However on the other hand let's play a couple possible case scenarios and use the probability of say out of 100 users how many actually hold the coins they receive from their campaign without spending any of them for a very long of time.

You discover that if we should make use of this analogy then a majority of persons will be a victim to quantum attacks. Nevertheless that doesn't mean all though.

[stwenhao]

which means you cannot recover the original internal public key from the tweaked one

Of course. But you don't need internal public key, to move the coins. For example: what is internal public key here? https://mempool.space/tx/f0e7351b7829826057a984fde7c03d1c67e8235224c5e3791122a072d1e1a3ff

As you can see, nobody knows, or uses any internal public key for some addresses, and coins are still spendable. Which means, that if someone will get the private key to the external public key, visible in the Taproot address, then it is all that is needed, to move these coins anywhere, under the current consensus rules.

Of course, in the future, that may be blocked or restricted (so using untweaked keys is a bad idea), but now it isn't blocked, and it may never be (because then, there is a risk of confiscating some coins; it is a similar case, if someone would want to invalidate old, random P2PK, where HD wallets were not yet used). And claiming, that "all keys have to be tweaked" is a similar thing, as claiming that "everyone have to use HD wallets", which is simply not the case, when it comes to enforced consensus rules.

[satscraper]

which means you cannot recover the original internal public key from the tweaked one

Of course. But you don't need internal public key, to move the coins. For example: what is internal public key here? https://mempool.space/tx/f0e7351b7829826057a984fde7c03d1c67e8235224c5e3791122a072d1e1a3ff

As you can see, nobody knows, or uses any internal public key for some addresses, and coins are still spendable. Which means, that if someone will get the private key to the external public key, visible in the Taproot address, then it is all that is needed, to move these coins anywhere, under the current consensus rules.

Of course, in the future, that may be blocked or restricted (so using untweaked keys is a bad idea), but now it isn't blocked, and it may never be (because then, there is a risk of confiscating some coins; it is a similar case, if someone would want to invalidate old, random P2PK, where HD wallets were not yet used). And claiming, that "all keys have to be tweaked" is a similar thing, as claiming that "everyone have to use HD wallets", which is simply not the case, when it comes to enforced consensus rules.

Sure, having both the private and public keys allows you to do virtually anything you want.

Regarding untweaked keys, they are from the class of exotic exclusions that some people try to fiddle with rather than being the general rule. Most wallets will not support this.

[stwenhao]

Most wallets will not support this.

Yes, but it is not a question, if your wallet supports it or not. It is a question, if attackers will be able to exploit it, if secp256k1 will be broken.

And from the security perspective, your coins are as strong as the weakest link. Which means, that if anyone will ever try to attack, then the external, untweaked key will be attacked, because it is just easier to attack some known public key, than to target some unknown, hashed key.

Also, each address has an untweaked, external key. There are no Taproot addresses, where you can say "I want only internal key, and nothing else". Which means, that if someone will break the external key, then the internal key can be set to whatever, and it wouldn't matter, because the attacker will just use external key to move them.