As per BIP341 [https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#]:
-
“First, we define taproot_tweak_pubkey for 32-byte BIP340 public key arrays. The function returns a bit indicating the tweaked public key’s Y coordinate as well as the public key byte array. The parity bit will be required for spending the output with a script path.“
-
This is shown in the “Script validation rules” section:
If q ≠ x(Q) or c[0] & 1 ≠ y(Q) mod 2, fail [10]
- Following the reference [10]:
“Why is it necessary to reveal a bit in a script path spend and check that it matches the parity of the Y coordinate of Q? The parity of the Y coordinate is necessary to lift the X coordinate q to a unique point. While this is not strictly necessary for verifying the taproot commitment as described above, it is necessary to allow batch verification. Alternatively, Q could be forced to have an even Y coordinate, but that would require retrying with different internal public keys (or different messages) until Q has that property. There is no downside to adding the parity bit because otherwise the control block bit would be unused.”
I understand (I think) why storing the parity of the taproot_tweak_pubkey in the Witness’ Control Block “is not strictly necessary” for verifying the validity of a P2TR-Script-Path spend.
- The spender, who constructed the Witness able to spend the UTXO;
- And the verifier (e.g. node), who is running validation rules on that
transaction; - They both construct the taproot_tweak_pubkey the same way: Same
Merkle Root, same Internal PubKey, same Tweak = same
taproot_tweak_pubkey.
Nevertheless, I assume there are still good security reasons why checking the parity was added as a validation rule in the P2TR-Script-Path, maybe clarifying this could be helpful?
My main question is why “it is necessary to allow batch verification”?
Thank you so very much, all of you out there who take the time to educate us on Bitcoin!
