{"id":20621,"date":"2019-01-25T04:19:05","date_gmt":"2019-01-25T04:19:05","guid":{"rendered":"http:\/\/ci027cfe6e700f26c3"},"modified":"2025-01-28T16:07:52","modified_gmt":"2025-01-28T16:07:52","slug":"taproot-coming-what-it-and-how-it-will-benefit-bitcoin","status":"publish","type":"post","link":"https:\/\/bitcoinmagazine.com\/technical\/taproot-coming-what-it-and-how-it-will-benefit-bitcoin","title":{"rendered":"Taproot Is Coming: What It Is, and How It Will Benefit Bitcoin"},"content":{"rendered":"
<\/div>
<\/figure>\n

Bitcoin users may, before long, be able to benefit from a trick called \u201cTaproot.\u201d First proposed<\/a> by Bitcoin Core contributor and former Blockstream CTO Gregory Maxwell, Taproot would expand on Bitcoin\u2019s smart contract flexibility, while offering more privacy in doing so. Even the most complex smart contracts would, on the blockchain, typically be indistinguishable from regular transactions.<\/p>\n

While a big undertaking, this is not just theory. Several of the most prolific Bitcoin Core contributors \u2014 including Pieter Wuille, Anthony Towns, Johnson Lau, Jonas Nick, Andrew Poelstra, Tim Ruffing, Rusty Russell and, indeed, Gregory Maxwell \u2014 are working on a Schnorr signature<\/a> proposal that would include Taproot, all in one protocol upgrade.<\/p>\n

Here\u2019s what Taproot is and how it works.<\/p>\n

P2SH<\/strong><\/h2>\n

All bitcoins are essentially \u201clocked up\u201d in scripts: a couple lines of code embedded in a transaction included in the blockchain, that define how the coins can be spent in the next transaction. Spending conditions usually involve providing a signature to prove ownership of the coins. But other, well-known conditions for example include timelocks (coins can only be spent after a specific block height or date) or multisig (coins can only be spent if some number of private keys out of a set of private keys provide signatures).<\/p>\n

Different conditions can be mixed and matched, to create complex types of smart contracts. An example of such a contract could be that coins can be spent if both Alice and Bob sign, or<\/em> if Alice alone signs after a week has passed, or<\/em> if Bob alone signs while also providing a secret number. Whichever of these three conditions is met first, is how the coins are spent.<\/p>\n

Since 2012, scripts (the conditions) are often not publicly visible at first; only the new owner of the coins knows how they can be spent. This is done with a trick called P2SH (pay to script hash), where initially only a hash of the script is included in the blockchain. This seemingly randomly scrambled number holds the coins. When the owner spends the coins, he reveals the whole script as well as<\/em> the \u201csolution\u201d to the script at the same time. Anyone can then use the initial hash to check that the supplied script was indeed the original script locking up the coins and can immediately conclude that the requirements of the script were met.<\/p>\n

Still, when the coins are spent, it\u2019s currently necessary to reveal all the possible conditions that could have been met \u2014 including the conditions that weren\u2019t met. This has two main downsides. One, it\u2019s data heavy, especially if there are many conditions. And two, it\u2019s bad for privacy. Everyone learns all the different ways in which funds could have been spent, which can, for example, reveal what kind of wallet was used and perhaps even more.<\/p>\n

MAST<\/strong><\/h2>\n

MAST<\/a> (Merkelized Abstract Syntax Tree) is a proposed solution that uses Merkle trees (a decades-old, compact data structure invented by cryptographer Ralph Merkle) to work around these two downsides. In short, all the different conditions under which the funds can be spent are individually<\/em> hashed (as opposed to combined into a single hash) and included in a Merkle tree, which ultimately produces a single hash: the Merkle root. This Merkle root \u201clocks up\u201d the coins.<\/p>\n

The unique benefit is that if any<\/em> of the data in the Merkle tree is revealed, the Merkle root and some additional data (called the Merkle path) can be used to verify that that specific data was included in the Merkle tree. The rest of the Merkle tree remains hashed and hidden.<\/p>\n

With MAST, this means that only the condition that is met needs to be revealed. If, in the initial example above, Alice alone spends the funds after a week, she just reveals that condition (and the Merkle path). No one learns that the money could have also been spent by Alice and Bob together, or by Bob alone if he\u2019d added a secret number. This makes MAST more data efficient than complex P2SH smart contracts and adds privacy to boot.<\/p>\n

Yet with Schnorr, Taproot can do even better: a transaction can hide that a MAST-structure existed at all.<\/p>\n

Schnorr<\/strong><\/h2>\n

The Schnorr signature scheme has long been on the wishlist of many Bitcoin developers and is currently in development to be deployed as a soft fork protocol upgrade. Many cryptographers consider the Schnorr signature scheme to be the best in the field, as its mathematical properties offer a strong level of correctness, it doesn\u2019t suffer from malleability and is relatively fast to verify.<\/p>\n

As its best-known benefit in the context of Bitcoin, Schnorr\u2019s \u201clinear math\u201d allows for signature aggregation: several signatures in the same transaction can be combined into one. A similar trick could be applied to multisig transactions. Combining both public keys and signatures into \u201cthreshold public keys\u201d and \u201cthreshold signatures,\u201d a multisig transaction can be made indistinguishable from any regular transaction.<\/p>\n

And the signature scheme can be used in even more interesting ways. For example, it\u2019s possible to use data to \u201ctweak\u201d both a private key and a public key. As a simplified example, a private key and its corresponding public key could be tweaked by multiplying both by two. The \u201cprivate key x 2\u201d and the \u201cpublic key x 2\u201d would still correspond, and the \u201cprivate key x 2\u201d could still sign messages that could be verified with the \u201cpublic key x 2.\u201d Anyone unaware that the original key pair was tweaked wouldn\u2019t even see any difference; the tweaked keys look like any other key pair.<\/p>\n

This is what enables Taproot.<\/p>\n

Taproot<\/strong><\/h2>\n

Taproot is based on an interesting realization: no matter how complex, almost any MAST-construction could (or should) include a condition that allows all participants to agree on the outcome and simply sign off on a settlement transaction together. In the earlier example, if Bob knows Alice can, by herself, claim all the funds next week, he might as well cooperate with her now to sign off together. (In many typical smart contract setups he would even be penalized if he doesn\u2019t. The complexity really just serves to keep everyone honest.)<\/p>\n

Taproot resembles MAST and always<\/em> includes a condition where all participants can cooperate to spend the funds: the \u201ccooperative close.\u201d<\/p>\n

By utilizing Schnorr signatures, this is where it gets interesting.<\/p>\n

First off, the cooperative close would utilize Schnorr\u2019s threshold trick to make it look like a regular transaction, from one person to another. So, the public keys of all participants are added together, resulting in the \u201cthreshold public key.\u201d Corresponding with this threshold public key, the combination of all participants\u2019 signatures \u2014 their \u201cthreshold signature\u201d \u2014 allows them to spend the funds.<\/p>\n

So far so good, but spending the funds as if it were a normal transaction is the only thing they can do \u2014 no MAST-like structures yet. That\u2019s where the other Schnorr trick comes in.<\/p>\n

All the alternative ways in which the funds can be spent \u2014 the non-cooperative outcomes \u2014 are this time combined into a different script. This script, then, is hashed and used to tweak<\/em> the threshold public key. Rather than \u201cpublic key x 2,\u201d as used in the example earlier, this results in a \u201cthreshold public key x script.\u201d (We\u2019re still simplifying.) This \u201cthreshold public key x script\u201d corresponds, of course, to a \u201cthreshold signature x script.\u201d<\/p>\n

Now, if the money is spent cooperatively, all participants combine their signatures into the \u201cthreshold signature\u201d and tweak it with the script. The resulting \u201cthreshold signature x script\u201d allows them to spend the funds. Yet, and importantly, to the outside world, all this would still just look like a regular public key and a regular signature \u2014 a regular transaction.<\/p>\n

Only if a cooperative close proves impossible, the threshold public key can be shown for what it really is: tweaked.<\/p>\n

In this case, both the original<\/em> threshold public key and the script are revealed. This proves that the \u201cthreshold public key x script\u201d was tweaked with this specific script. So, like the hash in P2SH, the tweak<\/em> proves to the world that the funds should be spendable if the alternative conditions, as specified in this script, are met. (And, like with P2SH, these conditions are of course immediately met to spend the funds.)<\/p>\n

Alternatively, instead of tweaking the threshold public key with script, the threshold public key can be tweaked with a Merkle root of a Merkle tree that includes all the different conditions under which the funds can be spent: a MAST structure. To spend the funds, then, only the spending condition that\u2019s been met needs to be revealed.<\/p>\n

As such, Taproot offers all the benefits of MAST, while under normal circumstances no one will ever know that a regular transaction was hiding such a complex smart contract as a fallback.<\/p>\n

This is a general outline of the Taproot concept; implementation specifics may vary. For more details, read<\/em>the original Taproot proposal<\/em><\/a> by Gregory Maxwell or watch<\/em>this presentation<\/em><\/a> by Pieter Wuille.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Taproot would expand on Bitcoin\u2019s smart contract flexibility, while offering more privacy in doing so.<\/p>\n","protected":false},"author":2509,"featured_media":15987,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35],"tags":[2744,73,1141,1279,1075],"class_list":{"0":"post-20621","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technical","8":"tag-mast","9":"tag-privacy","10":"tag-schnorr","11":"tag-smart-contracts","12":"tag-taproot"},"author_data":{"id":2509,"name":"Aaron van Wirdum","nicename":"aaron-van-wirdum","avatar_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/12\/aaron-van-wirdum-96x96.jpg"},"featured_image_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/11\/taproot-is-coming-what-it-is.jpg","_links":{"self":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/20621","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/users\/2509"}],"replies":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/comments?post=20621"}],"version-history":[{"count":0,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/20621\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media\/15987"}],"wp:attachment":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media?parent=20621"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/categories?post=20621"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/tags?post=20621"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}