01 Nov 2021

What is Taproot, the next Bitcoin upgrade?

With more than $1 trillion of market value currently riding on the Bitcoin network, upgrades to the protocol need to be carefully tried and tested. Taproot is arguably the most important and anticipated upgrade to the Bitcoin network since Segwit.
Taproot upgrade
Source: @therationalroot
The Segwit upgrade in 2017 was a controversial upgrade that would divide the community and spawn the Bitcoin Cash hard fork. The fact that Taproot is almost unanimously supported highlights just how significant this coming upgrade is.The Taproot upgrade that goes live on November 14 is comprised of three Bitcoin Improvement Proposals (BIPs) which describe three distinct upgrades to the Bitcoin protocol: Schnorr Signatures, Taproot, and Tapscript. Together, these upgrades are known as the Taproot upgrade– introducing more efficient and private ways of transacting with bitcoin. TL;DR: Taproot is a proposed upgrade of the Bitcoin protocol that promises increased privacy of multi-signature (multi-sig) transactions and to unlock the potential for smart contracts to run on the Bitcoin network. The Taproot upgrade is comprised of Schnorr Signatures, Taproot, and Tapscript, which will make smart contracts on Bitcoin more private and space-saving by aggregating multiple signatures and output them as a single signature.Before getting into the nitty-gritty of how Taproot works, it is important to understand that the Bitcoin network is not private. Considering that Bitcoin is a public ledger, on-chain transactions can be viewed by anyone. While there are ways around this, such as coin mixing and using Tor, these methods are anything but mainstream friendly. That is what Taproot is for—an integrated privacy solution. And this is where things get really technical.
Prerequisite concept: MAST
While many will associate "programmable money" with the Ethereum blockchain, the Bitcoin blockchain boasts its own, although somewhat less expansive, smart contract functionality. Bitcoin uses a simple programming language called Script which allows for conditions to be specified in order for funds to be unlocked, e.g. through a timelock script, a multi-sig, or several conditions.Put simply, Bitcoin transactions work by first locking Bitcoins in a script (or spending conditions), before unlocking and locking them again in new scripts. At present, if Alice sends Bob 1 BTC but wants to set multiple conditions for him to redeem them, then all conditions would be visible on the blockchain. In other words, transactions with multiple conditions may reveal information about the counterparties and reduce privacy. Furthermore, they could be a factor which biased miners use to avoid including the transaction in their blocks.MAST (Merkelized Alternative Script Trees) is a way to hide all spending conditions and reduce the size of the information. Instead of each condition being included in the transaction information, MAST produces a merkelized hash of the information (the merkle root). When Bitcoin is sent to a MAST output, the Bitcoin is locked to the Merkle root of these scripts, and to redeem the bitcoin the spender must reveal the script which they are using to unlock the Bitcoin, as well as proof that this script is included in the Merkle root of the previous transaction. The improvements in privacy and efficiency come from the fact that the spender of a MAST output does not have to reveal all the scripts, only the one they used. No one can see how many there are. No one can see what the others are.MAST has never been implemented in Bitcoin so far because the changes needed are extensive and complex. This is where the Schnorr/Taproot/Tapscript proposal comes in, as a middle ground between simplicity and added functionality.
Note: the abbreviation MAST originally stood for Merklized Abstract Syntax Trees based on merkle trees and abstract syntax trees. Subsequent proposals did not use abstract syntax trees but people continued to use the term “MAST”, leading Anthony Towns to propose the backronym Merklized Alternative Script Trees.
Schnorr Signatures
At present, if one wants to sign a transaction with multiple signatures, each private key owner must compute their signature and include it in the transaction. BIP 340 introduces Schnorr signatures, which enables Bitcoin multi-sig transactions to appear as if they were single signature transactions (Pay-to-Public-Key-Hash, ‘P2PKH’ transactions) on the blockchain. In other words, the Schnorr signature scheme can hide that a MAST-structure existed at all; the transactions will be indistinguishable.This will allow signers to jointly produce a signature rather than having to compute them independently. As such, Taproot will increase privacy while reducing the amount of information and data space, thereby lowering transaction fees and improving scalability.
TapScript is a new form of script that gives Bitcoin smart contracts more flexibility by removing the 10,000-byte size limit, giving developers more freedom to create Bitcoin smart contracts. Instead, script size is implicitly bounded by the block weight limit. It also enables partially executed scripts to have the rest of their execution code hidden until it is used. Consider the Merkle tree of Taproot, where every leaf is a script that is combined with a so-called leaf version—similar to script versioning with SegWit. The key difference is that the scripts are not revealed at time of payment, only at time of spending. Using a specialized Bitcoin script is easily identifiable to outside observers, but with Taproot, all outputs look the same. This enables a new type of payment called Pay-to-Taproot (P2TR), which means that users can pay to either a Schnorr public key or the Merkle root of other scripts. By validating these newer forms of transactions, TapScript provides users with a choice of being anonymous or remaining public.
Key Aggregation
Schnorr’s key aggregation feature is what enables this flexibility. The term key aggregation refers to multi-sigs that look like a single-key signature. When Bitcoin is sent to a P2TR output, it is locked to a single public key, called Q. However, this public key Q is really an aggregation of a public key P, and a public key formed from the Merkle root of many other script types. If the hash is valid, any of the alternative scripts in the Merkle tree can be used to spend the output. Multi-sig outputs, single-sig outputs, and other complex smart contracts will become indistinguishable; thus many on-chain analysis methods will become useless, protecting the privacy for all Taproot users.
Taproot upgrade
Source: @therationalroot
To illustrate an example, consider closing a Lightning channel.The basic implementation of the current Lightning channels is based on a 2-of-2 multi-sig. Instead of closing a channel with a complex script, Schnorr allows signatures to be joined together, which are presented as one Taproot signature. This makes complex transactions more efficient, and to an observer, the channels would look like regular Bitcoin transactions.Since the Taproot upgrade will increase Lightning Network efficiency, it will also allow for increased development on Lightning.
Risk Assessment
As with any technology, a blockchain upgrade involves risk. Taproot will be a soft-fork upgrade, meaning that network participants are not required to update their software to implement the change. Given the expected fee advantages offered by the upgrade, most are likely to embrace it, but that does not imply that the benefits will be realized at scale as soon as Taproot is activated. In the 4 years since the SegWit upgrade, SegWit usage only recently crossed 80%. Almost half of the SegWit adoption happened in 2021.Similar to the SegWit upgrade, wallets and services will have to update to make Taproot functional. Users should therefore not use Taproot until they are convinced that the vast economic majority enforces it. Miners "activating" Taproot means little without users enforcing it: If miners update, but most users do not, miners can revert the upgrade and steal Taproot funds from the minority users. However, as more users enforce Taproot, the positive effects on efficiency and privacy are amplified: the more wallet addresses in a cluster, the more privacy, and the less block space. And there is reason to be positive: Hardware wallets Ledger and Trezor have both announced their support, as have desktop wallets Sparrow and Wasabi, joining broad swathes of the Bitcoin community.
Closing Thoughts
With all of the above, Taproot is an exciting upgrade that is laying the foundation for Bitcoin to continue its growth and development. The scope of the Taproot technical improvements is too big for one article, but the key takeaway is that the Taproot upgrade is set to improve Bitcoin’s functionality and broaden its market. And that is good for both its prospects and its valuation.
Share this article