Taproot in 3 min
Tim Ruffing
@real_or_random
UTXOs in Bitcoin
OP_DUP OP_HASH160 <Public KeyHash> OP_EQUAL OP_CHECKSIG
- Spending condition encoded as a script.
- Typically: you need to provide a signature of the desired transaction under a given public key
- current: public key inside a script
- Taproot: script inside a public key
Elliptic Curve Public Keys
can serve as Commitments
\textit{pk} = g^{x+H(g^x,\ \textit{data})}
\textit{sk} = x+H(g^x,\ \textit{data})
Taproot
\textit{pk} = g^{x+H(g^x,\ \textit{script})}
Key-path spending
- produce Schnorr signature valid under public key \(pk\)
Script-path spending
- reveal \(g^x\) and \(\textit{script}\)
- fulfill script
- script can actually be a Merkle tree of scripts
Smart Contracts
\textit{sk} = x_1 + x_2 +H(g^{x_1+x_2},\ \textit{script})
x_1
x_2
Parties can cooperate to produce a multi-signature,
i.e., a single Schnorr signature valid under \(g^{x_1+x_2}\)
Taproot is Cool
- All UTXOs look the same: just a public key
- All UTXOs are short: 32 bytes
- Most spends look the same: just a signature
- Most spends are short: 64 bytes
- Only exception:
Uncooperative parties in a smart contract
Research Agenda
- Multi-signatures...
- Threshold signatures...
- Blind signatures...
- ? signatures...
...that look like ordinary Schnorr signatures.
Don’t Trust. Verify.
Taproot in 3 min
By real-or-random
Taproot in 3 min
4th ForDigital Workshop, KIT, 2020-03-02
- 852