Bitcoin users may soon be able to"Taproot "benefit from. Taproot, first proposed by Bitcoin Core contributor and former Blockstream CTO Gregory Maxwell, will expand the flexibility of Bitcoin smart contracts while providing more privacy in the process. Even the most complex smart contracts are often indistinguishable from regular transactions on the blockchain.

While a big project, it's not just theory. Several Bitcoin Core contributors -- including Pieter Wuille, Anthony Towns, Johnson Lau, Jonas Nick, Andrew Poelstra, Tim Ruffing, Rusty Russell, and, in fact, Gregory Maxwell -- are working on a Schnorr signature proposal that includes Taproot.

Let’s take a look at Taproot and how it works.

P2SH

locking"locking"In scripts: the few lines of code embedded in transactions on the blockchain that determine how bitcoins are spent in the next transaction. The conditions used usually involve providing a signature to prove ownership of the coin. But other well-known conditions include timelocks (a coin can only be spent after a certain block height or date) or multisig (a coin can only be spent when signed by some of a set of private keys).

Different conditions can be mixed and matched to create complex types of smart contracts. Looking at an example of this kind of contract, if both Alice and Bob sign, or Alice alone signs after a week, or Bob signs alone and also provides a password, the coin can be "spent". Whichever of these three conditions are met first is all about how the coin is used.

solution"solution". Anyone can then use the initial hash to check that the script provided is indeed the original script that locked the coin, and can immediately conclude that the script's requirements were met.

However, it is currently necessary to reveal all possible conditions that are met when the coin is used -- including those that are not. This has two main disadvantages. One, it has a large amount of data, especially when there are many conditions. The second is detrimental to privacy. Everyone will learn about the various different ways funds might be used, which can reveal, for example, what wallet was used, and possibly even more.

MAST

locking"locking"these coins.

The unique benefit is that if any data in the Merkle tree is revealed, the Merkle root and some additional data (called the Merkle path) can be used to verify that that specific data was included in the Merkle tree. The rest of the Merkle tree remains hashed and hidden.

For MAST, this means that only conditions that are met need to be revealed. If in the original example above, Alice spent the funds alone after a week, she just let the condition be revealed (and the Merkle path). No one knows that the money could also have been spent by Alice and Bob together, or by Bob alone (he also added a password). This makes MAST more data-efficient than complex P2SH smart contracts with increased privacy.

With Schnorr, however, Taproot can do even better: a transaction can completely hide constructs like MAST.

Schnorr

The Schnorr signature scheme has been desired by many Bitcoin developers and is currently under development to be deployed as a soft fork protocol upgrade. Many cryptographers consider the Schnorr signature scheme to be the best in the field because its mathematical properties provide strong correctness, it is immune to mutability, and it is relatively fast to verify.

As its most famous feature in the development of Bitcoin, Schnorr's"linear math"Allows signature aggregation: several signatures in the same transaction can be merged into one. A similar trick can be applied to multisig transactions as well. Combining both the public key and the signature into"and"and"threshold signature", which can make multi-signature transactions indistinguishable from regular transactions.

Adjustment"Adjustment"private key and public key. As a simplified example, a private key and its corresponding public key can be adjusted by multiplying the two by 2."and"and"Public key × 2"will still correspond,"Private key × 2"can still be signed"Public key × 2"verified information. Anyone who doesn't know that the original key pair was adjusted won't even see any difference; the adjusted key looks just like any other key pair.

That's where Taproot comes in.

Taproot

Taproot is based on the realization that almost any MAST construct, no matter how complex, can (or should) include a condition for all participants to agree on the outcome and sign the settlement transaction together. In the previous example, if Bob knows that Alice can get all the funds back by himself next week, he might as well cooperate with her now and sign together. (In many typical smart contract setups, he could even be penalized if he doesn't. The complication is really just to keep everyone honest).

Taproot is similar to MAST and always includes a condition that all participants are able to use funds jointly:"Cooperative Close"。

This is where it gets interesting by utilizing Schnorr signatures.

First, the end of the partnership uses Schnorr's threshold trick to make it look like a normal deal. In this way, the public keys of all participants are added together to form"threshold public key". Corresponding to this threshold public key, the combination of signatures of all participants---their"threshold signature"---You can let them use the funds.

So far so good, but spending the funds as a normal transaction is the only thing they can do -- no MAST-like structure yet. This is where another Schnorr trick comes into play.

All of the alternative ways in which funds could be used—non-cooperative outcomes—are combined into a different script this time. This script is then hashed and used to adjust the threshold public key. Instead of using"Public key × 2",turn out"Threshold public key × script"(simplified expression). Of course, this"Threshold public key × script"corresponds to"Threshold signature × script"。

Now, if funds are shared, all participants combine their signatures into"threshold signature", and then adjust it with the script. resulting from"Threshold signature × script"Just let them use the money. Importantly, however, all this is still just an ordinary public key and an ordinary signature—an ordinary transaction—to the outside world.

Only when the end of the collaboration proves impossible will the threshold public key reveal its true colors: adjusted.

In this case, both the original threshold public key and the script are revealed. This proves"Threshold public key x script"is tuned with this particular script. So, like a hash in P2SH, this tweak verifies that funds should be usable if the alternatives specified in this script are met. (As with P2SH, these conditions are of course met immediately for the funds to be used.)

Also, instead of using a script to adjust the threshold public key, the threshold public key can be adjusted using the Merkle root of the Merkle tree that includes all the different conditions under which funds can be spent: a MAST structure. Then, to use the funds, it is only necessary to reveal the usage conditions that have been met.

Therefore, Taproot provides all the benefits of MAST, while under normal circumstances, no one would know that an ordinary transaction hides such a complex smart contract as a backup.