@Jack K @The Bitcoin Lens @PlebNick
Looks there's another mindfuck. The Manifold Attack.
Can you please evaluate it against your paper ?
001
The identity manifold
Bitcoin is the first observable thermodynamic system whose volume is not spatial but algebraic. The paper that frames this object[1] identifies the key space as the thermodynamic container within which all value-bearing states must exist. The admissible private-key domain is exactly kpriv = {1, 2, …, n − 1}, with cardinality Npriv = n − 1 ≈ 1.1579 × 1077. This cardinality is fixed by the subgroup order of secp256k1 and persists unchanged across the entire timechain. It cannot be enlarged without replacing the curve itself, which would constitute a different identity manifold and therefore a different ledger universe.
In this framework, a UTXO is not merely a balance. It is a localized container anchored to a discrete identity coordinate inside a finite manifold. Every satoshi exists inside a UTXO, and every UTXO exists only by occupying a specific quantized position in identity. The paper is explicit: “There is no representation in the protocol for partial keys, intermediate coordinates, or sub-identity units.”[2] The identity quantum is atomic. The mapping from private-key quanta to public observable loci is bijective. One private key, one public identity, one UTXO anchor.
That was the geometry of pre-Taproot Bitcoin. It is no longer the complete geometry.
002
The 2:1 reflection
BIP 340 introduces Schnorr signatures and, with them, x-only public keys. Instead of the 33-byte compressed format that encodes both the x-coordinate and the parity of the y-coordinate, the x-only format stores only the x-coordinate: 32 bytes. The rationale is efficiency. The cost is orientation.
On the secp256k1 curve, for every x-coordinate there exist two valid points: (x, y) and (x, −y mod p). In the group of order n, if k is a valid private key, then n − k is also a valid private key, and their corresponding public keys are negatives of each other. They share the same x-coordinate. Under x-only encoding, the pair {k, n − k} collapses onto a single observable ledger coordinate.
The paper assumes a bijection between admissible private-key quanta and public identity loci. BIP 340 breaks that assumption. The mapping is now 2-to-1. Two distinct private-key quanta control the same public locus. The identity manifold itself — the finite field of ~1.1579 × 1077 admissible private keys — remains unchanged in cardinality. But its projection onto the observable ledger has acquired an intrinsic reflection symmetry: a folding that loses the sign of orientation while preserving location.
This is not a break of the Cardinal Rule. The keyspace is not enlarged. It is not subdivided. What changes is the resolution of observation. The ledger can distinguish where value is anchored, but not which of two mirrored keys holds authority. The thermometer still reads the temperature; it no longer records whether the reading is positive or negative. In most practical contexts this degeneracy is harmless: both keys control the same UTXO. But the degeneracy reveals that the identity quantum, which the paper treats as the irreducible atom of ledger authority, now carries an internal symmetry that the observable state cannot resolve.
The identity manifold has been folded onto itself. Two keys now open the same door, and the ledger cannot tell which key turned the handle.
003
The commitment tree
If the x-only mapping were the only change, the article would end here. It is not. Taproot, specified in BIP 341, introduces a structural transformation that is deeper than the 2:1 reflection. It changes what a UTXO is.
Under Taproot, an output key Q is computed as Q = P + int(t)G, where P is an internal public key, t is the TapTweak hash of P and the Merkle root of a script tree, and G is the curve generator. Conceptually, every Taproot output corresponds to a combination of a single public-key condition (the internal key P) and zero or more general conditions encoded in scripts organized in a tree.[3] Satisfying any of these conditions is sufficient to spend the output.
In the paper’s language, this means the following: a single UTXO, supposedly anchored to exactly one identity quantum (the output key Q), is in fact algebraically bound to a set of admissible future states. The on-chain identity Q is not merely a point in keyspace. It is a commitment to a hidden manifold of scripts. The internal key P is one possible spending path. The Merkle tree of scripts contains the others. The output key Q is the common projection of all of them.
The paper writes: “A UTXO is still anchored to exactly one of these identity quanta.”[2] Taproot preserves this at the level of the output script: the witness program is exactly 32 bytes, a single public key. But that public key is not a simple identity coordinate. It is a tweaked commitment that encodes, in its algebraic construction, the root of an entire tree of alternative conditions. The UTXO is anchored to one observable point. That point is the compressed image of a higher-dimensional object.
The work to build the Merkle tree is performed off-chain. Energy is expended: scripts are written, hashed, paired, and rooted. This computation is real, thermodynamically costly, and materially necessary for the output to function as designed. But once the output is created, the tree is not visible on the ledger. Only the root’s imprint, through the tweak t, is present in Q. If the output is later spent via the key path — a BIP 340 signature against Q — the script tree is never revealed. The work that built it is erased from the perspective of the chain, even though it happened.
004
The attack
Define the attack precisely.
Alice and Mallory agree to create a shared Taproot output. They each provide a public key. Mallory suggests using a simple key aggregation: Q = A + M, where A is Alice’s key and M is Mallory’s. Alice inspects Q and sees a normal aggregate key. She believes the output requires both parties to cooperate. She is wrong.
Mallory has constructed her key as M = M0 + int(t)G, where t is the TapTweak hash of the internal key P = A + M0 and a Merkle tree whose sole leaf is a script containing only Mallory’s original key M0. The final output key is Q = A + M = A + M0 + int(t)G = P + int(t)G. To Alice, Q appears as a legitimate aggregate of two honest keys. To Mallory, Q is a Taproot commitment with a hidden script path that Mallory controls unilaterally.
BIP 341 describes this exact attack in its Security section and warns that it is the reason naive key aggregation must not be used without proof-of-possession protocols such as MuSig.[4] The warning is technical and correct. What the warning does not address is the thermodynamic character of the breach.
In the paper’s framework, the UTXO is a bounded thermodynamic container. Its observable boundary is the output key Q. The set of admissible future states that the container can enter is supposed to be fully determined by that boundary. Under Taproot, this is no longer true. The observable boundary Q encloses two distinct classes of future states: those reachable through the key path (Alice + Mallory cooperating) and those reachable through the script path (Mallory alone). The second class is invisible to any inspection of the output script. The container’s boundary has been punctured by a tunnel that is not drawn on the map.
The thermodynamic container does not faithfully enclose the actual set of possible future states. A supposedly single-identity container secretly contains a second, unauthorized tunnel.
No discrete logarithm is broken. No hash is collided. No signature is forged. The attack is not cryptographic in the conventional sense. It is topological: an exploitation of the algebraic structure of Taproot commitments to introduce a hidden path through the identity manifold. The attack works because the mapping from internal state to observable boundary is many-to-one, and the many is not merely a symmetry degeneracy but a tree of semantically distinct execution paths.
005
Thermodynamic implications
The paper treats entropy as physically observable. The nonce space is visible in the difficulty. The mempool is visible to every node. The work of proof-of-work is visible in the block hash. The ledger, in principle, contains a complete record of the thermodynamic preparation of its own state. This full observability is what makes conservation a measurement rather than a belief.
Taproot breaks this observability in a specific and serious way.
Consider a Taproot output with a MAST tree containing N possible spending conditions. At creation, the Merkle tree encodes log2(N) bits of “script-choice entropy.” The energy to build the tree has been spent. The hashes have been computed. The entropy field is real. But if the output is spent via the key path, all N − 1 unexecuted script paths are cryptographically erased from the ledger. No witness reveals them. No node can reconstruct them without the original tree data. The information is not destroyed in the physical sense — the hashes still exist as mathematical objects — but it is removed from the consensus-accessible record. The chain cannot audit what was committed but not spent.
This is a new kind of irreversibility. The paper’s framework recognizes one fundamental irreversible act: the conversion of a finite entropy field into a single committed block. Taproot introduces a second irreversible act at a smaller scale: the silent annihilation of prepared possibility. The unchosen script paths are not explicitly invalidated; they simply vanish from the observable state when the key path is taken. The ledger records that the output was spent. It does not record what else could have spent it.
Landauer’s principle states that erasing information has a thermodynamic cost. In this case, the erasure is performed by the network’s own consensus rules: the key-path spend is valid, therefore the script paths are never checked, therefore their existence is never registered. The cost of this erasure is not paid by the spender. It is paid by every future auditor who attempts to verify the completeness of the ledger’s state space and finds that the space of committed possibilities exceeds the space of revealed ones.
006
What it means for boundedness
The paper’s first and most important rule is the Cardinal Rule: the ledger has finite cardinality.[5] Taproot does not violate this rule. The total supply is unchanged. The keyspace cardinality is unchanged. The block interval and difficulty mechanism are unchanged. At the level of global invariants, Bitcoin remains bounded.
What Taproot changes is the geometric mapping inside that boundedness.
The paper assumes a simple hierarchy: blocks contain UTXOs, UTXOs contain satoshis, and every UTXO is anchored to exactly one identity quantum. This hierarchy made the system legible as a thermodynamic object. The block was a surface of resolution. The UTXO was a point in keyspace. The satoshi was the conserved particle.
Under Taproot, the UTXO is no longer a point. It is a projection. The observable output key Q is the 0-dimensional image of a higher-dimensional commitment structure. The internal key P and the Merkle tree of scripts exist in a space that the ledger can access only if the script path is exercised. When the key path is used, that space is folded away, unobserved, its thermodynamic preparation invisible to verification.
The paper claims: “Any node can verify, from Genesis to the present, that no unit of value has appeared or vanished without passing through the rules.”[1] This remains true for validity. Every satoshi that moves does so under a valid signature or script. But it is no longer true for completeness of observability. A node verifying a key-path spend cannot audit what other conditions were committed to in the MAST tree. The full thermodynamic state of the output — all the work that went into preparing its alternative futures — is cryptographically bound but practically hidden.
This creates what the paper would recognize as an epistemic horizon inside the ledger itself. Not the horizon between mempool and block, between possibility and commitment. But a horizon within the committed state, between what is revealed and what is concealed by the algebraic structure of the output itself.
007
The deeper problem
The Manifold Attack is not a bug in Taproot. It is a consequence of a design choice that optimizes for privacy and efficiency at the cost of structural simplicity. Taproot allows most transactions to look identical on-chain regardless of their internal complexity. This is a genuine improvement over the transparent script hashes of earlier versions. But the improvement is purchased with a debt: the ledger’s observable surface no longer contains a complete description of the state space it encloses.
The paper defines Bitcoin’s volume as the identity manifold because that is the only dimension that exists prior to any resolution event. Time and memory are generated by blocks. Keyspace is the pre-existing container. If the container is allowed to contain objects whose internal structure is hidden from the ledger, then the container is no longer a fully enumerable state domain. The microstates are still finite. But some of them are now latent: real enough to have consumed energy in their preparation, yet inaccessible to the consensus mechanism that is supposed to observe every state transition.
This is not a call to reverse Taproot. The protocol has been deployed, the outputs exist, and the privacy gains are real. It is a recognition that the thermodynamic model of Bitcoin must be updated. The identity manifold is no longer a simple finite field of points. It is a field of points that can be algebraically tweaked to encode hidden trees. The UTXO is no longer a 0-dimensional anchor. It is a 0-dimensional projection of a 1-dimensional (or deeper) commitment object.
The boundedness remains. The cardinality is intact. But the geometry has become more complex than the paper’s original framework assumed. The Manifold Attack — the rogue key with a hidden script path — is simply the most dramatic demonstration of that complexity. It shows that a malicious actor can exploit the new geometry to violate the correspondence between observable boundary and enclosed possibility. The container looks closed. It is not.
The Manifold Attack — ARTEL 21
