UTXOs in Bitcoin

OP_DUP OP_HASH160 <Public KeyHash> OP_EQUAL OP_CHECKSIG
  • Spending condition encoded as a script.
  • Typically: you need to provide a signature of the desired transaction under a given public key
  • current: public key inside a script
  • Taproot: script inside a public key

Elliptic Curve Public Keys
can serve as Commitments

\textit{pk} = g^{x+H(g^x,\ \textit{data})}
\textit{sk} = x+H(g^x,\ \textit{data})

Taproot

\textit{pk} = g^{x+H(g^x,\ \textit{script})}

Key-path spending

  • produce Schnorr signature valid under public key \(pk\)

Script-path spending

  • reveal \(g^x\) and \(\textit{script}\)
  • fulfill script
  • script can actually be a Merkle tree of scripts

Smart Contracts

\textit{sk} = x_1 + x_2 +H(g^{x_1+x_2},\ \textit{script})
x_1
x_2

Parties can cooperate to produce a multi-signature,
i.e., a single Schnorr signature valid under \(g^{x_1+x_2}\)

Taproot is Cool

  • All UTXOs look the same: just a public key
  • All UTXOs are short: 32 bytes
  • Most spends look the same: just a signature
  • Most spends are short: 64 bytes
  • Only exception:
    Uncooperative parties in a smart contract

Research Agenda

  • Multi-signatures...
  • Threshold signatures...
  • Blind signatures...
  • ? signatures...

...that look like ordinary Schnorr signatures.

Don’t Trust. Verify.