UTXOs in Bitcoin

  • Spending condition encoded as a script.
  • Typically: you need to provide a signature of the desired transaction under a given public key
  • current: public key inside a script
  • Taproot: script inside a public key

Elliptic Curve Public Keys
can serve as Commitments

\textit{pk} = g^{x+H(g^x,\ \textit{data})}
\textit{sk} = x+H(g^x,\ \textit{data})


\textit{pk} = g^{x+H(g^x,\ \textit{script})}

Key-path spending

  • produce Schnorr signature valid under public key \(pk\)

Script-path spending

  • reveal \(g^x\) and \(\textit{script}\)
  • fulfill script
  • script can actually be a Merkle tree of scripts

Smart Contracts

\textit{sk} = x_1 + x_2 +H(g^{x_1+x_2},\ \textit{script})

Parties can cooperate to produce a multi-signature,
i.e., a single Schnorr signature valid under \(g^{x_1+x_2}\)

Taproot is Cool

  • All UTXOs look the same: just a public key
  • All UTXOs are short: 32 bytes
  • Most spends look the same: just a signature
  • Most spends are short: 64 bytes
  • Only exception:
    Uncooperative parties in a smart contract

Research Agenda

  • Multi-signatures...
  • Threshold signatures...
  • Blind signatures...
  • ? signatures...

...that look like ordinary Schnorr signatures.

Don’t Trust. Verify.

Taproot in 3 min

By real-or-random

Taproot in 3 min

4th ForDigital Workshop, KIT, 2020-03-02

  • 318