Taproot Upgrade
Bitcoin Soft-Fork Introduced in 2021
The Taproot Upgrade is a soft-fork introduced in 2021, providing the network with increased security, flexibility, and scalability, and the most significant upgrade to the network since the 2017 SegWit upgrade.
The Taproot Upgrade is the combination of three distinct Bitcoin Improvement Proposals (BIPs): BIP 340, which introduces Schnorr Signatures, BIP 341, which introduces a Taproot framework for using these signatures for transactions, and BIP 342, which updates Script with opcodes that support the Taproot framework [1].
Implementation
BIP 340: Schnorr Signatures
Bitcoin has historically relied on ECDSA signatures, which have malleability issues that pose security risks [2]. One of the most important parts of the Taproot Upgrade is the introduction of Schnorr Signatures [3], a new signature scheme that hold several advantages over ECDSA, including:
Provable security – Schnorr signatures have much stronger security properties than ECDSA, and are “strongly unforgable under chosen message attack” (SUF-CMA). This means that even if an attacker has an arbitrary sample of valid signatures by a single party, they cannot “reverse-engineer” the secret key used to generate these signatures.
Non-malleability – Because of the SUF-CMA property of Schnorr signatures, they do not suffer from the malleability issues of ECDSA signatures.
Efficient signature aggregation – it is very easy to compute a single aggregate signature for multiple parties using Schnorr signatures, based on the sum of the parties’ public keys. This makes Schnorr signatures much more efficient than ECDSA for multisig wallets, while also offering greater privacy guarantees, as shown in the Diagram below:
Within BIP 340, the authors design a mechanism to standardize Schnorr signatures and make it compatible with the existing cryptographic schemes in Bitcoin. This includes using the same elliptic curve and hash functions as the standard Bitcoin ECDSA signatures, choosing a variant of the Schnorr signature that supports batch verifications [3].
BIP 341: Taproot
BIP 341 is the main proposal in which the “Taproot upgrade” is named after. Its main purpose is to introduce a general framework that allows for the integration of several complementary mechanism proposals, such as Schnorr Signatures (BIP 340), Merklized Alternative Script Trees (MAST, BIP 114), and the Pay-to-Taproot (P2TP) merging of pay-to-pubkey and pay-to-scripthash policies [4].
MASTs
Merklized Alternative Script Trees (MASTs) [5], are data structures that succinctly encapsulate all possible scripts needed to unlock a UTXO (unspent transaction output). Suppose that there are three separate ways to unlock a given UTXO. Instead of writing out every individual script, a MAST allows the user to use a single Merkle to capture all three of these possible scripts, and the recipient only needs to submit a Merkle proof of the redeem script they are using to guarantee that it is covered in the MAST. This can be seen in the following diagram:
Pay-to-Taproot (P2TP): Unification of P2PKH and P2SH
Bitcoin originally has multiple address types for payment, with two of the most prominent being pay-to-pubkey-hash (P2PKH), where a user directly sends a payment to another user’s “wallet address,” and pay-to-scripthash (P2SH), where the user sends a payment to a Bitcoin Script that defines the unlock criteria for redeeming the transaction.
Pay to Taproot (P2TP) is a method used to unify these two separate architectures. It builds on Schnorr signatures, as they provide a simple way to aggregate multiple signatures, as well as MASTs, which is able to succinctly define multiple unlock conditions. Therefore, P2TP provides an abstraction layer, where a user no longer needs to specifically define if a transaction is P2PKH or P2SH.
Taproot Annex
BIP 341 also introduces an extra “annex” section in the witness. This optional “annex” allows the user to inscribe an extra field with the transaction witness. This section was originally intended to allow for future extensions, such as new Script commands, to be backwards compatible with the current version, and as such allows for extra programmability and flexibility for the BItcoin network.
BIP 342: Tapscript
The third part of the Taproot Upgrade is BIP 342, which modifies Bitcoin Script commands to make them compatible with BIP 340 and BIP 341. The end goal for this BIP is to allow Schnorr signatures, batch validation, and signature hash improvements to spends using the script system. Notably, the OP_CHECKSIG and OP_CHECKSIGVERIFY opcodes are modified to support Schnorr signatures. A new command, OP_CHECKSIGADD is also introduced to support multiple signature verification using Schnorr signatures [6].
Impact and Legacy
The Taproot upgrade has had a significant impact to the overall efficiency of the Bitcoin network. Some notable improvements include [7]:
Security and Privacy: The Taproot upgrade enhances Bitcoin security and privacy in multiple ways, including Schnorr signatures SUF-CMA properties, as well as forms of abstraction through MASTs and P2TP that makes it harder to discriminate between different types of payment.
Scalability: The Taproot upgrade increases the scalability of the Bitcoin blockchain by minimizing the amount of signature verifications and data checking necessary, such as the Schnorr signature aggregations (BIP 340, 342), as well as MASTs. This underlying scalability improvement also benefits higher-level applications, such as the Lightning Network.
Programmability Support: The new Opcodes and increased executional efficiency paves the way for increased smart contract programmability, providing more space to store arbitrary data in the witness, which may be used to inscribe arbitrary data into the transaction witness, including JSON data, smart contract code, or zero knowledge proofs. Combined with the new annex section in the transaction, this could potentially create a much more dynamic programmability layer.
References
[1] See: https://bitcoinmagazine.com/technical/understanding-taproot-in-a-simple-way
[2] Discussion of Signature Malleability in BIP 146: https://github.com/bitcoin/bips/blob/master/bip-0146.mediawiki
[3] BIP 340: https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
[4] BIP 341: https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki
[5] Discussion on MASTs in BIP 114: https://github.com/bitcoin/bips/blob/master/bip-0114.mediawiki
[6] BIP 342: https://github.com/bitcoin/bips/blob/master/bip-0342.mediawiki
[7] https://trustmachines.co/learn/bitcoin-taproot-upgrade-basic-breakdown/
Edited By: Jay Yu
Last updated
