Can you use un-tweaked public key with P2TR?


It depends on what you mean by public key.

P2TR outputs encode an “x-only pubkey”, that is a public key with just the X coordinate. The Y coordinate is implicitly the even one (on elliptic curve like secp256k1, every X coordinate has either exactly 2 corresponding Y coordinates, or none; and one of those two will always be odd, and one will be even).

Older mechanisms, such as the ECDSA signing used in older Bitcoin scripts, use a public key where the Y coordinate is identified exactly. Either by sending it in full, or sending just its parity.

So, if you would use a public key directly, without tweaking, as a P2TR address, then it is indeed possible to recover the public key’s X coordinate from it. Which of the two Y coordinates it was will be lost.

Is this safe to do? In simple cases, yes. BIP340 recommends always tweaking, even when there are no scripts involved, because of interaction with certain other protocols that could be built on top. But if all you’re going for is single-key signing, you could in theory get away with using keys untweaked.

Source link

Leave a reply