What Is Taproot and How Will It Benefit Bitcoin?
Table of Contents
- Taproot is a proposed upgrade to Bitcoin which will introduce several new features.
- Taproot will integrate the Schnorr digital signature scheme into Bitcoin, upgrading Bitcoin’s core cryptography.
- Taproot builds on the SegWit upgrade to improve Bitcoin’s privacy and lower transaction fees.
- Taproot makes future Bitcoin upgrades easier by reforming Bitcoin’s scripting language.
Taproot is a proposed upgrade to Bitcoin which will bring several new features and benefits to Bitcoin users. The Bitcoin community is hoping to activate Taproot in the near future, although its activation path is still unclear.
The Taproot upgrade is actually composed of three Bitcoin Improvement Proposals (BIPs) which define three distinct upgrades to the Bitcoin protocol: Schnorr Signatures, Taproot, and Tapscript. However, these three upgrades are known as the Taproot upgrade, and BIPs 340, 341, and 342 are often collectively referred to as BIP Taproot. Together, these upgrades introduce new, more efficient, flexible, and private ways of transferring bitcoin.
BIP 340 introduces Schnorr signatures for use in Bitcoin. Schnorr signatures will bring several benefits to Bitcoin users, including superior privacy, lower fees, and more flexible multisig.
This BIP also specifies how Schnorr public keys and signatures are to be encoded for use in Bitcoin. Public keys used for Schnorr signatures are 32 bytes long, compared to ECDSA’s 33-byte public keys. Additionally, Schnorr signatures are 65 bytes long, compared to ECDSA signatures, which range from 71-72 bytes, including a sighash flag. These small space savings offer fee savings to Bitcoin users who adopt Taproot.
While BIP 340 defines the specification for generating and encoding Schnorr signatures and public keys, BIP 341 defines how Bitcoin’s protocol will integrate Schnorr signatures. Specifically, Bitcoin Script must be updated to also evaluate Schnorr signatures. Taproot also integrates Merkelized Alternative Script Trees (MAST), which allow users to lock outputs to multiple scripts.
Taproot also introduces a new script type, a way of spending bitcoin. Pay-to-Taproot (P2TR) allows users to pay to either a Schnorr public key or the Merkle root of a variety of other scripts. Using this new script type, a user can create a UTXO which can be unlocked and spent by either the owner of the private key or anyone who can satisfy the requirements of any script within the Merkle tree.
Schnorr’s key aggregation feature enables this flexible functionality. When bitcoin is sent to a P2TR output, it is locked to a single public key, called Q. However, this public key Q is actually an aggregation of a public key P and a public key formed from the Merkle root of many other script types. Any of the alternative scripts in the Merkle tree can be used to spend the output.
This design allows users to choose between complex, arbitrary scripts as well as simple pay-to-public-key functionality at the time of spending, rather than at the time of receiving. It also makes all Taproot outputs look similar. Because multisig outputs, single sig outputs, and other complex smart contracts all look the same on the blockchain, many chain analysis heuristics will become unusable, preserving privacy for all Taproot users.
In order to implement P2TR transactions, BIP 342 adds and updates several opcodes. These new scripts are used to verify Taproot spends and Schnorr signatures, and they are collectively known as Tapscript.
Tapscript was designed to maximize future flexibility of P2TR spending in order to allow for upgrades which are not yet foreseen.
The Benefits of Taproot
The Taproot upgrade offers many benefits to Bitcoin users who adopt Taproot as well as those who do not. The introduction of Schnorr signatures offers significant benefits to privacy and security, but Taproot and Tapscript also bring advantages of their own.
Most Taproot (P2TR) outputs consume less space on the blockchain than normal P2PKH outputs, but are slightly larger than P2WPKH outputs. This is mostly due to the fact that P2TR outputs lock bitcoin directly to a public key, not the hash of the public key. This makes sending to Taproot outputs slightly more expensive, because public keys take up more space than public key hashes. However, spending Taproot outputs is significantly cheaper because the public key is included in the scriptPubKey, and thus does not need to be included in the Script Witness.
Taproot also defined the encoding scheme for Schnorr public keys and signatures, making them shorter than their ECDSA counterparts, providing additional fee savings.
The privacy implications of Taproot are perhaps the most important part of the upgrade. By introducing Schnorr signatures and key aggregation, multisignature contracts no longer look different from single signature contracts, providing privacy to all Taproot users.
Taproot also introduces significant privacy benefits through the integration of MAST. As discussed above, Taproot allows bitcoin to be locked to many scripts at once. However, when spending bitcoin from a Taproot output, the spender need not reveal every possible script that could have unlocked the bitcoin; only the script which they actually used. In the majority of cases, Taproot users will likely use the pay-to-public-key option, allowing them to keep any backup options they might have planned private.
On a technical, theoretical level, Schnorr signatures are considered more secure than ECDSA signatures because Schnorr signatures are provably secure using fewer assumptions. Like all elliptic curve cryptography schemes, both ECDSA and Schnorr rely on the assumption that the Discrete Logarithm Problem is hard. However, ECDSA relies on additional assumptions in order to guarantee its security. Nonetheless, there have been no examples of ECDSA being systematically compromised during Bitcoin’s existence.
Schnorr signatures also eliminate any signature malleability that might have been present in ECDSA signatures. While transaction malleability was solved by the SegWit upgrade, malleability of signatures persisted as a feature of ECDSA.
As of now, Taproot is still a proposed upgrade, and has not yet been activated on the Bitcoin network. When an upgrade to Bitcoin is proposed, it is first discussed by the developer community. Once the proposal is formalized, it is assigned a BIP number. After the code is written, reviewed, tested, and merged, Bitcoin node operators must decide how and when to activate the upgrade.
The Schnorr, Taproot, and Tapscript upgrades were given BIP 340, 341, and 342 in January of 2020, and have been under discussion and development since. In late 2020, the code implementation for all three upgrades was completed, tested, reviewed, and merged to Bitcoin Core.
As it currently stands, all of the necessary code exists to implement Taproot on an up-to-date Bitcoin node. Now, the community must decide on whether and how to activate Taproot and start enforcing the new consensus rules. There are several methods for activating upgrades to Bitcoin, so the community must first select a path and then execute it.
Bitcoin Activation Paths
BIP 8 and BIP 9 define two popular methods for activating upgrades. Both processes begin by surveying Bitcoin miners for support. If an overwhelming majority of miners signal their support through messages in the blocks they mine, the upgrade is activated. The difference between BIP 8 and BIP 9 arises if miner support is insufficient. In that case, BIP 9 specifies that the upgrade should not take place, while BIP 8 specifies that the upgrade should be activated after a delay period.
Variants of these two proposals have been put forward in the context of Taproot activation. However, the Bitcoin community has overwhelmingly supported Taproot, and very little criticism has been raised. Thus, the specific activation path is likely insignificant.