BitcoinTechnical Advanced

Taproot - Privacy and Efficiency Through Schnorr Signatures

Taproot is the 2021 Bitcoin upgrade that makes transactions with complex spending conditions look identical to ordinary single-signature payments, improving privacy and efficiency through Schnorr signatures, MAST, and Tapscript.

· 4min

Taproot is a Bitcoin protocol upgrade activated on November 14, 2021, at block height 709,632. The first major upgrade since SegWit four years earlier, it makes transactions with complex spending conditions look identical to a plain single-signature payment, improving privacy and efficiency at the same time. Taproot consists of three Bitcoin Improvement Proposals (BIPs): BIP340 (Schnorr signatures), BIP341 (Taproot), and BIP342 (Tapscript).

graph TD
  P["Internal Key"] --> Q["Taproot Output Key
(combined via tweak)"] T["Script Tree
(MAST Merkle root)"] --> Q Q --> K["Key Path Spend
single Schnorr signature"] Q --> S["Script Path Spend
only the used branch revealed"] K --> R["Indistinguishable from
an ordinary payment"] style Q fill:#58a6ff,stroke:#58a6ff,color:#000 style K fill:#3fb950,stroke:#3fb950,color:#000 style R fill:#3fb950,stroke:#3fb950,color:#000 style S fill:#f0883e,stroke:#f0883e,color:#000

The Problem Taproot Solved

Bitcoin spending conditions are expressed in Script. The more complex the condition (single signature, multisig, timelocks), the larger the transaction and the more those conditions are exposed on the blockchain. Anyone could tell whether an output was a 2-of-3 multisig wallet, a Lightning channel, or a simple wallet. This hurt privacy and wasted block space. Taproot fixed this by making the common cooperative case look like a single signature.

Three BIPs

  • BIP340 Schnorr signatures: A signature scheme replacing ECDSA. Fixed at 64 bytes, its linearity allows multiple signatures to be combined into one (key aggregation). See the Schnorr Signatures entry below for details.
  • BIP341 Taproot: Defines a structure that packs both a key path and a script path into a single output key.
  • BIP342 Tapscript: Updates Bitcoin Script for the Taproot environment and introduces a versioning scheme that makes future upgrades easier to add.

Key Path and Script Path

A Taproot output can be spent in two ways.

  • Key path: When all relevant participants cooperate, the output is spent with a single Schnorr signature. From the outside, this is indistinguishable from an ordinary single-signature payment.
  • Script path: Fallback conditions for when cooperation breaks down. These conditions live in a Merkle tree called MAST, and only the branch actually used is revealed. The remaining conditions are never disclosed.

The internal key and the Merkle root of the script tree are combined into one output key through an operation called a tweak, so only a single ordinary-looking public key is visible.

MAST: A Merkle Tree That Hides Conditions

MAST (Merkelized Abstract Syntax Tree) places multiple spending conditions as leaves of a Merkle tree. The old approach required revealing every possible condition when spending, but with MAST you only present the condition you actually used and its Merkle proof. Whether there are 100 conditions or 1,000, only the one used is exposed, so transactions get smaller and privacy improves. The Merkle Tree concept applies directly here.

What Got Better

  • Privacy: When spent via the key path, multisig, Lightning, and complex contracts all look identical to a single-signature payment. All Taproot outputs are indistinguishable from one another.
  • Efficiency and fees: Schnorr signatures are a compact 64 bytes, and the script path reveals only the branch used, reducing data and saving fees.
  • Extensibility: Key aggregation (MuSig) and Tapscript's versioning lay the groundwork for higher-layer protocols like Lightning and DLCs to operate more efficiently and privately.
  • New address format: Taproot uses bech32m addresses (starting with bc1p).

The Quiet Soft Fork

Taproot is a soft fork that tightens existing rules, so it remains compatible with older nodes. Unlike SegWit activation, which went through the fierce conflict of the Blocksize War, Taproot activated through a process called Speedy Trial with miner signaling and little controversy, because there was broad community consensus on the technical improvement.

Related