Taproot - Privacy and Efficiency Through Schnorr Signatures
Taproot is the 2021 Bitcoin upgrade that makes transactions with complex spending conditions look identical to ordinary single-signature payments, improving privacy and efficiency through Schnorr signatures, MAST, and Tapscript.
Taproot is a Bitcoin protocol upgrade activated on November 14, 2021, at block height 709,632. The first major upgrade since SegWit four years earlier, it makes transactions with complex spending conditions look identical to a plain single-signature payment, improving privacy and efficiency at the same time. Taproot consists of three Bitcoin Improvement Proposals (BIPs): BIP340 (Schnorr signatures), BIP341 (Taproot), and BIP342 (Tapscript).
graph TD P["Internal Key"] --> Q["Taproot Output Key
(combined via tweak)"] T["Script Tree
(MAST Merkle root)"] --> Q Q --> K["Key Path Spend
single Schnorr signature"] Q --> S["Script Path Spend
only the used branch revealed"] K --> R["Indistinguishable from
an ordinary payment"] style Q fill:#58a6ff,stroke:#58a6ff,color:#000 style K fill:#3fb950,stroke:#3fb950,color:#000 style R fill:#3fb950,stroke:#3fb950,color:#000 style S fill:#f0883e,stroke:#f0883e,color:#000
The Problem Taproot Solved
Bitcoin spending conditions are expressed in Script. The more complex the condition (single signature, multisig, timelocks), the larger the transaction and the more those conditions are exposed on the blockchain. Anyone could tell whether an output was a 2-of-3 multisig wallet, a Lightning channel, or a simple wallet. This hurt privacy and wasted block space. Taproot fixed this by making the common cooperative case look like a single signature.
Three BIPs
- BIP340 Schnorr signatures: A signature scheme replacing ECDSA. Fixed at 64 bytes, its linearity allows multiple signatures to be combined into one (key aggregation). See the Schnorr Signatures entry below for details.
- BIP341 Taproot: Defines a structure that packs both a key path and a script path into a single output key.
- BIP342 Tapscript: Updates Bitcoin Script for the Taproot environment and introduces a versioning scheme that makes future upgrades easier to add.
Key Path and Script Path
A Taproot output can be spent in two ways.
- Key path: When all relevant participants cooperate, the output is spent with a single Schnorr signature. From the outside, this is indistinguishable from an ordinary single-signature payment.
- Script path: Fallback conditions for when cooperation breaks down. These conditions live in a Merkle tree called MAST, and only the branch actually used is revealed. The remaining conditions are never disclosed.
The internal key and the Merkle root of the script tree are combined into one output key through an operation called a tweak, so only a single ordinary-looking public key is visible.
MAST: A Merkle Tree That Hides Conditions
MAST (Merkelized Abstract Syntax Tree) places multiple spending conditions as leaves of a Merkle tree. The old approach required revealing every possible condition when spending, but with MAST you only present the condition you actually used and its Merkle proof. Whether there are 100 conditions or 1,000, only the one used is exposed, so transactions get smaller and privacy improves. The Merkle Tree concept applies directly here.
What Got Better
- Privacy: When spent via the key path, multisig, Lightning, and complex contracts all look identical to a single-signature payment. All Taproot outputs are indistinguishable from one another.
- Efficiency and fees: Schnorr signatures are a compact 64 bytes, and the script path reveals only the branch used, reducing data and saving fees.
- Extensibility: Key aggregation (MuSig) and Tapscript's versioning lay the groundwork for higher-layer protocols like Lightning and DLCs to operate more efficiently and privately.
- New address format: Taproot uses bech32m addresses (starting with bc1p).
The Quiet Soft Fork
Taproot is a soft fork that tightens existing rules, so it remains compatible with older nodes. Unlike SegWit activation, which went through the fierce conflict of the Blocksize War, Taproot activated through a process called Speedy Trial with miner signaling and little controversy, because there was broad community consensus on the technical improvement.
Related Concepts
- Schnorr Signatures - The BIP340 signature scheme and key aggregation at the heart of Taproot
- SegWit - The signature-separation upgrade that preceded Taproot (Taproot is SegWit v1)
- How Bitcoin Script Works - The spending-condition language that Tapscript updated
- Multisig - A common spending condition that Taproot can hide as a single signature
- Merkle Tree - The data structure MAST uses to hide spending conditions
- In Depth: The Biggest Upgrade Bitcoin Ever Shipped, Quietly - A long-form deep dive into Taproot