Bitcoin Taproot Upgrade Coming Soon: What Are Its Origins, Contents, and Impacts?

Wu said the author   |   Yuan Ben

Editor of this issue   |   Colin Wu

In the near future (around November 14, 2021), Bitcoin will have its own important soft fork upgrade Taproot. More than 90% of miners have agreed to this upgrade, so it is unlikely that there will be a community fork debate like the SegWit upgrade. It seems that this upgrade has not attracted much attention, but there are also many articles calling it the most important upgrade.

What exactly is the Taproot upgrade, and is it actually something to get excited about?

Taproot itself means taproot plants, which is roughly like the picture below. Gregory Maxwell, the proposer of Taproot, explained that he hopes that in the process of Bitcoin transaction payment, it can be like taproot plants, focusing on the big taproot and hiding those unnecessary small branches.

The road to the impossible triangle

No matter what kind of blockchain is upgraded, what is ultimately solved is the impossible triangle problem in the blockchain. The impossible triangle theory in the blockchain world was proposed by Vitalik in an article titled "On sharding blockchains". It means that it is very difficult to achieve the three conditions of decentralization, security, and performance (efficiency, scalability) in a blockchain network at the same time. Often, the reality is that when we improve two conditions, we have to sacrifice the third condition.

The Taproot upgrade is not out of this big framework. The Taproot upgrade mainly corresponds to two aspects. The first purpose is to further improve its anonymity, that is, to further improve security. The other is to improve the performance of transactions by changing the data structure of the block itself and reduce unnecessary data burden in transactions.

Breaking Down Taproot

The Taproot upgrade is a collective name for three complementary BIPs, including Schnorr signatures (BIP 340), Taproot (BIP 341) and TapScript (BIP 342).

Schnorr Signatures

The Schnorr signature was proposed by German cryptographer Claus Schnorr, but due to patent reasons, the Schnorr signature was not available for free until 2008. This caused Bitcoin, which was born in 2008, to miss out on it (referring to the original paper published in 2008) and adopted the ECDSA signature instead.

At present, Schnorr signatures have almost surpassed ECDSA signatures in terms of performance and security. More importantly, Schnorr and ECDSA use the same elliptic curve algorithm, so it is easier to implement upgrades. The most eye-catching part of Schnorr is the aggregate signature that acts on the transaction output level.

Under multi-signature conditions, we often need to put multiple signatures into the transaction data, especially when there are many signatures, which will bring a lot of transaction fees and memory burden. However, using aggregate signatures, we can combine multiple signatures into one signature, as shown in the figure below.

Similarly, under Schnorr signatures, public keys can also be aggregated, which greatly improves the performance of the Bitcoin network during transactions.

When verifying, traditional ECDSA can only support one-to-one verification, but Schnoor, thanks to its aggregation concept, can perform batch verification on nodes.

Taproot

We know that anonymity has always been an important security issue pursued by Bitcoin. At the address level, although the pseudo-anonymity of Bitcoin addresses has isolated the physical world identity and the on-chain world address to a certain extent, the types of addresses for different transactions are very clearly separated. The transaction types of the following addresses are clear at a glance, which makes it possible for attackers to analyze the addresses of transactions.

The goal of Taproot is to enhance the anonymity of Bitcoin addresses, making all addresses look the same and you cannot analyze the type of transaction from the address. Using Taproot, you can merge independent P2PKH and P2SH, making them indistinguishable from each other, but the transaction fees they bear are the same, which is exactly what Schnorr's idea is.

At the same time, Taproot uses Schnorr to create a Merkle Abstract Syntax Tree (MAST, a data structure that combines an abstract syntax tree and a Merkle tree). In the previous case, suppose we have a transaction, and the condition set by this transaction is that user A can use the transaction within the first 30 days of the transaction initiation, and user B can use the transaction 30 days after the transaction is initiated. In the end, no matter who uses the transaction, the information of users A and B will be exposed, which is obviously unnecessary.

In MAST, only the user who used the transaction will be exposed, and the information of the other user will be hidden, which greatly protects the user's privacy.

TapScript

BIP 342 is about the implementation of Taproot script. It adds some opcodes for executing and deploying Taproot, Schnorr, soft fork and other code-level functions, such as "OP_CHECKSIGADD". Inefficient opcodes such as "OP_CHECKMULTISIG" and "OP_CHECKMULTISIGVERIFY" are disabled. "OP_CHECKSIG" and "OP_CHECKSIGVERIFY" are revised to provide Schnorr functions. Overall, the content of Bitcoin script is improved to adapt to Taproot upgrades.

Summarize

In summary, the Taproot upgrade does have some highlights, but Taproot is more like a refinement and supplement to the legacy issues of SegWit, just as described in the summary of bip-0341: "This document proposes a new SegWit version 1 output type..." This is just a new solution to the SegWit output level.

Another problem is that the Taproot upgrade is a soft fork, and the actual activation of Schnorr will not begin until next year, so the upgrade process of Taproot itself will not happen overnight. If P2TR (the address under Taproot) fails to become mainstream, then P2TR has obviously not achieved its purpose of anonymity from other addresses.

In addition, there is a voice questioning the actual effect of Taproot, which believes that Taproot will cause address space fragmentation, making it easier for attackers to analyze.

For ordinary users, the most intuitive benefit of Taproot is that it reduces transaction fees and improves the anonymity and efficiency of transactions. In any case, what impact will the Taproot upgrade have on Bitcoin and whether it can achieve the expected goals, only time will tell.