From 1a9c7f948aee96c2deaeade05009c245d417742b Mon Sep 17 00:00:00 2001
From: Devrandom <miron@basezero.com>
Date: Wed, 13 Nov 2019 18:46:05 +0100
Subject: [PATCH 1/2] clarify 211 hash bytes and non-reuse of keys

---
 bip-taproot.mediawiki | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bip-taproot.mediawiki b/bip-taproot.mediawiki
index de266b9c..6d2e9759 100644
--- a/bip-taproot.mediawiki
+++ b/bip-taproot.mediawiki
@@ -141,7 +141,7 @@ As the message for signature verification, transaction digest is ''hash<sub>TapS
 ** If the <code>SIGHASH_SINGLE</code> flag is set:
 *** <code>sha_single_output</code> (32): the SHA256 of the corresponding output in <code>CTxOut</code> format.
 
-The total number of bytes hashed is at most ''211''<ref>'''What is the number of bytes hashed for the signature hash?''' The total size of the input to ''hash<sub>TapSighash</sub>'' (excluding the initial 64-byte hash tag) can be computed using the following formula: ''178 - is_anyonecanpay * 52 - is_none * 32 + has_annex * 32''.</ref>.
+The total number of bytes hashed at top level is at most ''211''<ref>'''What is the number of bytes hashed for the signature hash?''' The total size of the input to ''hash<sub>TapSighash</sub>'' (excluding the initial 64-byte hash tag) can be computed using the following formula: ''178 - is_anyonecanpay * 52 - is_none * 32 + has_annex * 32''.</ref>.  Sub-hashes, such as `sha_prevouts`, may be cached across signatures of the same transaction.
 
 In summary, the semantics of the BIP143 sighash types remain unchanged, except the following:
 # The way and order of serialization is changed.<ref>'''Why is the serialization in the transaction digest changed?''' Hashes that go into the digest and the digest itself are now computed with a single SHA256 invocation instead of double SHA256. There is no expected security improvement by doubling SHA256 because this only protects against length-extension attacks against SHA256 which are not a concern for transaction digests because there is no secret data. Therefore doubling SHA256 is a waste of resources. The digest computation now follows a logical order with transaction level data first, then input data and output data. This allows to efficiently cache the transaction part of the digest across different inputs using the SHA256 midstate. Additionally, digest computation avoids unnecessary hashing as opposed to BIP143 digests in which parts may be set zero and before hashing them. Despite that, collisions are made impossible by committing to the length of the data (implicit in <code>hash_type</code> and <code>spend_type</code>) before the variable length data.</ref>
@@ -270,7 +270,7 @@ A script path spend leaks that there is a script path and that the key path was
 Moreover, the depth of a script in the Merkle root leaks information including the minimum depth of the tree, which suggests specific wallet software that created the output and helps clustering.
 Therefore, the privacy of script spends can be improved by deviating from the optimal tree determined by the probability distribution over the leaves.
 
-Just like other existing output types, taproot outputs should never reuse keys.
+Just like other existing output types, taproot outputs should never reuse keys, for privacy reasons.
 This does not only apply to the particular leaf that was used to spend an output but to all leaves committed to in the output.
 If leaves were reused, it could happen that spending a different output would reuse the same Merkle branches in the Merkle proof.
 Using fresh keys implies that taproot output construction does not need to take special measures to randomizing leaf positions because they are already randomized due to the branch-sorting Merkle tree construction used in taproot.

From b8cbd419e6d338bff68afd98be4d52a450e7dff1 Mon Sep 17 00:00:00 2001
From: Dev Random <devrandom@users.noreply.github.com>
Date: Thu, 14 Nov 2019 10:55:32 -0800
Subject: [PATCH 2/2] tweak 211 bytes text

---
 bip-taproot.mediawiki | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bip-taproot.mediawiki b/bip-taproot.mediawiki
index 6d2e9759..18430b9c 100644
--- a/bip-taproot.mediawiki
+++ b/bip-taproot.mediawiki
@@ -141,7 +141,7 @@ As the message for signature verification, transaction digest is ''hash<sub>TapS
 ** If the <code>SIGHASH_SINGLE</code> flag is set:
 *** <code>sha_single_output</code> (32): the SHA256 of the corresponding output in <code>CTxOut</code> format.
 
-The total number of bytes hashed at top level is at most ''211''<ref>'''What is the number of bytes hashed for the signature hash?''' The total size of the input to ''hash<sub>TapSighash</sub>'' (excluding the initial 64-byte hash tag) can be computed using the following formula: ''178 - is_anyonecanpay * 52 - is_none * 32 + has_annex * 32''.</ref>.  Sub-hashes, such as `sha_prevouts`, may be cached across signatures of the same transaction.
+The total number of bytes hashed is at most ''211'' (excluding sub-hashes such as `sha_prevouts`)<ref>'''What is the number of bytes hashed for the signature hash?''' The total size of the input to ''hash<sub>TapSighash</sub>'' (excluding the initial 64-byte hash tag) can be computed using the following formula: ''178 - is_anyonecanpay * 52 - is_none * 32 + has_annex * 32''.</ref>.  Sub-hashes may be cached across signatures of the same transaction.
 
 In summary, the semantics of the BIP143 sighash types remain unchanged, except the following:
 # The way and order of serialization is changed.<ref>'''Why is the serialization in the transaction digest changed?''' Hashes that go into the digest and the digest itself are now computed with a single SHA256 invocation instead of double SHA256. There is no expected security improvement by doubling SHA256 because this only protects against length-extension attacks against SHA256 which are not a concern for transaction digests because there is no secret data. Therefore doubling SHA256 is a waste of resources. The digest computation now follows a logical order with transaction level data first, then input data and output data. This allows to efficiently cache the transaction part of the digest across different inputs using the SHA256 midstate. Additionally, digest computation avoids unnecessary hashing as opposed to BIP143 digests in which parts may be set zero and before hashing them. Despite that, collisions are made impossible by committing to the length of the data (implicit in <code>hash_type</code> and <code>spend_type</code>) before the variable length data.</ref>