Where is the Schnorr signature and the Taproot soft fork proposal?

(Source: Pexels )


On May 6, 2019, Bitcoin developer Pieter Wuille posted a soft-branch proposal called " Taproot " to the Bitcoin developer mailing list. If the proposal is accepted, it may supplement the Schnorr signature soft fork upgrade released by Pieter in July 2018. The benefits of these proposals are related to scalability (performance) and privacy. Scalability and privacy now seem to be relevant and inseparable. While removing the details of the business and ensuring that transaction processing (increasing scalability) is reduced, they reduce the information they disclose and therefore may not be able to differentiate from different types of transactions, thereby increasing privacy.

Schnorr signature

The Schnorr signature algorithm was patented by Claus Schnorr in 1991 and expired in 2008. Although the Schnorr algorithm is said to be more powerful and a variant of it, the Digital Signature Algorithm (DSA) scheme is more widely adopted because the algorithm's patents are used free of charge worldwide. However, Dr. Schnorr himself has always believed that DSA should be within his patent.

Due to its wide range of uses, when Bitcoin was introduced in 2009, DSA's variant elliptic curve digital signature algorithm (ECDSA) was used for its digital signature algorithm. But the original Schnorr signature algorithm is simpler and more efficient than DSA, reducing the heavy security assumptions. After 10 years of use of Bitcoin, the more obvious it is, the advantage of these efficiencies will become important. Therefore, it seems reasonable to transfer Bitcoin to the Schnorr signature algorithm.

The main benefit of Schnorr signatures is that multi-signature transactions appear as normal single-signature transactions on the chain. With Schnorr signatures, multiple signers can generate a joint public key and then sign it together with a single signature instead of publishing all public keys and each signature separately on the blockchain. This is an important scalability and privacy improvement. This means that Schnorr signatures will save a lot of space and verification time, and as the signers of traditional multi-signature transactions increase, the comparative advantage will become more apparent.

Schnorr signature space savings estimate

We attempted to calculate the increase in potential bitcoin network capacity that can be brought about by the collection characteristics of this Schnorr multi-signature (multisig). However, due to the large number of assumptions involved, the following 13.1% increase in capacity should be considered a very approximate estimate.

Estimated savings based on UTXO calculations

(Source: BitMEX Research Team Computing and Valuation, p2sh.info)

(Note: The estimate ignores the impact of Schnorr's smaller signature size and only includes the benefits of adding a public key and signature. By using p2sh.info associated with multi-signature usage and applying a savings factor to each multi-signature type ( Estimate capacity increase by ranging from 50% to 85%. Estimate network-wide capacity increase by assuming that UTXO usage ratios are typical values ​​used by blockchains and applying higher weights to larger multi-signature transactions. Unused P2SH output The proportion of unused outputs is assigned to the multi-signature type. This value should only be considered as a very approximate estimate. Data as of May 7, 2019)

The above estimated capacity increase can be considered small, but the following factors should be considered:

● The economics of multi-signature technology is far more common than just considering UTXO counting. Approximately 21.5% of Bitcoin is stored in a multi-signature wallet, which is much higher than the 5.9% used by UTXO counting.

● As shown in the figure below, the multi-signature adoption rate is growing rapidly. At the same time, new systems like Lightning Networks require multiple signatures, while Schnorr signatures make multi-signature systems more powerful and adoption rates may increase.

Bitcoin stored by P2SH address type – graph showing strong growth in multi-signature technology

(Source: p2sh.info )

Therefore, according to our basic calculations, even if 100% adopt Schnorr, it will only bring 13.1% of network capacity growth according to the current usage of the network. However, in the long run, potential space savings and network capacity growth may be far higher. herein.

Merkel Abstract Syntax Tree (MAST)

MAST is an idea for Bitcoin protocol developer Dr. Johnson Lau in 2016 . In the past, Dr. Lau wrote an article for the BitMEX research team in February 2002 entitled The art of making softforks: Protection by policy rule ( The Art of Soft Bifurcation : Protection of Policy Rules). The idea of ​​MAST is that, in addition to time-locked conditions, transactions may also contain multiple spending conditions, such as 2 to 2 multi-signature conditions. To avoid putting all of these conditions and scripts into the blockchain, you can build expense scripts inside the Merkel tree so that you only need to display them and the necessary Merkel branch hashes when using them.

Graphical illustration of MAST expenditure conditions

(Source: BitMEX Research Team) (Note: This chart attempts to illustrate the transaction structure that assumes MAST is used with Schnorr. In the above structure, if both Bob and Alice are signed, funds can be redeemed in a cooperative manner, or after a time lock Redemption in a non-cooperative manner. The above is to illustrate the type of structure that may be required to open and close the lightning network channel)

Based on the above design, it can be assumed that only one expenditure condition needs to be displayed. For example, to spend output, all the signer needs to do is provide a Schnorr multi-signature and a hash (hash (1 and 2)) at the top right of the Merkel tree. So, despite the Merkel tree, in most cases everything goes as planned, requiring only one signature and a 32-byte hash. To be more concise, in order to validate the script, you need to prove that this is part of the Merkel tree by showing other branch hashes.

However, the disadvantage of this structure is that even in the normal best case, when providing a single key and script in the upper left corner of the Merkel tree, you still need to use up to 32 bytes of data, and announce another to the blockchain. Hash (the hash (1 and 2) in the image above). This deficiency also reduces privacy because third parties can always determine if there are more complex spending conditions because the top branch of the Merkel tree is always visible.


To the best of our knowledge, the origin of the Taproot idea came from an e-mail sent by Bitcoin developer Gregory Maxwell in January 2018 . The structure of Taproot is similar to MAST except at the top of the Merkel tree. In the case of Taproot, in a cooperative or normal scenario, you can choose to advertise only a single public key and a single signature without the need to publish evidence of the existence of the Merkel tree. The chart below illustrates the Taproot transaction structure.

Graphical illustration of Taproot spending conditions

(Source: BitMEX Research Team)

(Note: This chart attempts to explain the same spending criteria as the MAST chart above)

The adjusted public key on the left (or address) can be calculated from the original public key and the Merkel root hash. In the case of normal or cooperative payment, at the time of redemption, the original public key does not need to be on the chain, and does not show the existence of the Merkel tree, only a single signature needs to be published. In the absence of cooperation or unusual redemption, the original public key will be displayed along with information about the Merkel tree.

The benefits of Taproot compared to the original MAST structure are obvious. In the case of cooperation, the blockchain or the script itself no longer needs to include an extra 32-byte hash to improve efficiency. In addition, the transaction looks "normal", just a payment with a public key and a signature, and the existence of other spending conditions does not need to be displayed. This is a huge privacy benefit for external third-party observers, such as when opening a lightning channel or even a cooperative lightning channel shutdown, the transaction looks like regular bitcoin spending. The transaction can be constructed such that the presence of the Merkel tree needs to be displayed only when the uncooperative lightning channel is closed. The more different types of transactions look the same, the better the privacy, because third parties may not be able to determine which type of transaction is occurring and the flow of funds is generated. The long-term goal of some Bitcoin developers may be to ensure that no matter what type of transaction occurs, at least in the case of so-called cooperation, all transactions look the same.

Confusion about signature collection

The potential scalability of reducing the number of signatures required for a blockchain is enormous, so this concept is often exciting. Schnorr signatures do indeed collect signatures in multi-signature transactions, which should be a significant benefit for bitcoin. However, the inclusion of this and other ideas related to the collection of signatures has led to some unrealistic expectations of potential benefits, at least in terms of this upgrade proposal. To the best of our knowledge, the only aggregate benefit for this particular upgrade proposal is the inclusion of a signature in a multi-signature scheme rather than multiple inputs or multiple transactions.

Summary table of signature collection ideas

(Source: BitMEX Research Team)

in conclusion

We believe that the benefits associated with this soft fork are unlikely to be controversial. This soft fork seems to achieve a win-win situation in terms of functionality, scalability and privacy. The biggest controversy may be that there is no debate about other ideas or why.

Having said that, many people may be excited about the potential benefits of these upgrades and hope to see these upgrades on the network as soon as possible. However, when it comes to bitcoin, especially when it comes to changes to consensus rules, it takes a lot of patience.

Author: BitMEX team

Weibo: BitMEX

WeChat public number: BMEX industry information

Knowing the number: BitMEX research

Official telegram group: https://t.me/BitMEX_China



Welcome to reprint, please indicate that the article is provided by BitMEX research team. For more research reports on cryptocurrency industry, please visit http://cn.research.bitmex.com

We will continue to update Blocking; if you have any questions or suggestions, please contact us!


Was this article helpful?

93 out of 132 found this helpful

Discover more


In the past two or three years, the helm of Internet technology companies has looked at blockchains like this.

Text: Mutual chain pulse · Yuan Shang Source: Interchain Pulse October 25 is the watershed of China's block...


From the Meng Zhouzhou case: Huawei, HSBC, Kunlun Bank and digital currency

The last time, "Ren Zhengfei first talked about the 'coin', the world has no confidence in the US doll...


The MakerDAO rate has dropped to the lowest level in half a year. How to arbitrage from it?

Author: Odaily Daily Planet Packer Source: Planet Daily On October 28th, MakerDAO officially released the news that D...


If the era of quantum computing comes, is our bitcoin safe?

Written by: Li Yu, founder of Ambi Lab, Guo Yu Correction: Guo Yu Source: Chain smell Every time there is news of qua...


DeFi week selection 丨 DeFi cannibalizing PoS security? Vitalik debates with researchers

This week's most noticeable DeFi world is a technical research paper published by Gauntlet CEO Tarun Chitra, whi...


The mainstream adoption has already seen the fact that the two central banks use blockchain technology for cross-border payment for the first time.

According to Coindesk's May 2 report, the Bank of Canada (BOC) and the Singapore Monetary Authority (MAS) have c...