Taproot: Bitcoin's Major Protocol Upgrade

Taproot is the first major Bitcoin software upgrade since SegWit was implemented in 2017. In short, it is a package of voluntary upgrades to the Bitcoin protocol designed to:

• Increase network efficiency

• Lower costs of complex transactions

• Introduce new developer capabilities

• Improve user privacy, and

• Allow for less intrusive future upgrades

Bitcoin is open-source software, meaning the codebase exists in many different versions and is maintained by a widespread group of loosely coordinated people. Open-source software has no centralised line of command, roadmap or specific targets — the community of developers and users determine how the codebase evolves.

The somewhat standardised codebase for Bitcoin, Bitcoin Core (referred to as the reference implementation), is maintained on Github[1] by a set of nominated or appointed developers responsible for general moderation and addition of proposed contributions. However, in terms of structure, there are no specially privileged participants in Bitcoin development as anyone is welcome to contribute, test, and review its codebase.

To date, there have been over 800 contributors to the main Github version of Bitcoin Core, and many more have contributed to other alternative and compatible implementations available for users to deploy as they wish.[2]

In the Bitcoin user and developer communities there is a rough consensus regarding how Bitcoin should evolve. The general philosophy of Bitcoin development is one of security over speed. Any proposed changes undergo an arduous proposal, review, and testing cycle before being considered by a broader community of network participants.

Unless there are immediate and entirely uncontroversial dangers to the well-being of the system, upgrades are always made voluntary and backwards compatible. This ensures that users operating with older versions of the software are capable of making payments to users operating with newer versions, and that no one is left behind against their will.

Importantly, all users maintain the same copy of the transaction record (the blockchain) regardless of their version, this is even true of the original early 2009 release of Bitcoin by anonymous founder Satoshi Nakamoto.

Now let’s have a closer look at the upgrade itself:

Taproot is expected to slightly increase the processing speed of transactions, lower fees, and enable a faster onboarding experience for those looking to participate in the network (shorter block download)[3]. Some of these benefits stem from a reduction in the average data size of transactions, which increases the amount of transactions able to fit in each block, as well as decreasing the amount of computation required to verify them.

These improvements are made possible by introducing another signature scheme (Schnorr) and a new transaction type (Pay-to-Taproot, or P2TR for short), which together can help decrease the data requirements of both simple peer-to-peer transactions and more complex financial or business logic (smart contracts).

Schnorr also allows users to verify transactions in batches rather than on an individual basis (batch verification), which is expected to provide marginal efficiency gains for regular network participants and significant efficiency gains for participants joining for the first time.

While these changes may seem like minor improvements, the marginal reduction of data in these transactions has ongoing effects that impact both fees and application development -- more on this later.

The new signature scheme allows for more compact transactions by shrinking the data size of two components common to any Bitcoin transfer: public keys and signatures. Meanwhile, in tandem with other aspects of Taproot[4], it’s expected to also reduce the data size of transactions with intricate spending conditions (discrete log contracts) or multiple steps of execution (multisignature transactions).

For multisignature transactions the benefit is particularly large. Schnorr signatures allow the keys in a multisignature setup to be combined into a single key, resulting in a single signature instead of many. A multisignature transaction, no matter how many keys are involved, will therefore only take up the same data size as a single transaction in a block, and it will not be possible to tell from the blockchain how many keys were involved in signing the transaction.

Importantly, it is also anticipated that this additional signature scheme can be implemented without trading off Bitcoin’s security. This has been explained[5] through the new security proof requiring less assumptions compared to the existing one (ECDSA), and without introducing any new assumptions. Throughout Taproot’s proposal process, it has been widely considered that this new signature scheme is just as secure, if not more secure, than the existing digital signature encryption applied to Bitcoin transactions.[6][7][8]

Given its superior qualities, it is likely that the reason Bitcoin didn’t use Schnorr signatures from the beginning is that it had only recently been released from patent in 2009, and very few people had any experience implementing the scheme.[9] The existing ECDSA signature scheme was a part of OpenSSL[10], a set of open-source encryption tools that were mostly developed by computer scientists and mathematicians, many of whom were on the mailing list where Bitcoin was originally shared. This made it a natural choice for maximising interest and competence among early development contributors.

Many of Bitcoin’s applications and second-layer networks rely on more complicated multisignature transactions that will now become more efficient in terms of computation and privacy because of several upgrades packaged into Taproot[11]. As mentioned above, the improvements are expected to allow these complex transactions to appear indistinguishable to simple everyday transactions, as well as enable new capabilities[12] for the applications and second layer networks (e.g. Lightning and Liquid) built on Bitcoin. In a way, it’s expected to allow developers to do more (functionality), for less (data required).

Some expect this may result in Bitcoin-based applications that are similar to existing Decentralised Finance (DeFi) projects, which are generally more closely associated with alternative blockchain systems.[13][14] This remains to be seen, however, Taproot’s ability to reduce the cost and increase the functionality of more intricate and complicated transactions may indeed offer room for more creativity outside of Bitcoin’s base layer.

To be clear, Taproot will not enable the same fully expressive and recursive smart contracts that exist in alternative blockchain systems (Ethereum, Solana etc.) and this will almost certainly never happen as recursive smart contracts are widely considered to be unacceptably risky for Bitcoin. That said, with Taproot the programmability of Bitcoin transactions will increase to a higher level than what was previously possible, all with the expectation that the improvements will not introduce any security vulnerabilities.

As previously mentioned, Bitcoin’s base layer system is based on a philosophy that generally prioritises security over speedy experimentation. Given that Taproot’s improvements are mostly expected to benefit development outside of Bitcoin’s base layer, we don’t think it's an unreasonable possibility that Taproot could lead to an increase in financial applications for users in its broader ecosystem (in the long-term).

These financial applications are however likely to differ considerably from existing DeFi projects, rely heavily on the expected benefits of Taproot actually coming to fruition, and ultimately depend on the success of newer technologies in Bitcoin’s broader ecosystem (layer two and sidechains).

By minimising the information published to the blockchain regarding these complex transactions, Taproot is further expected to make it more difficult to distinguish them from generic user transactions and identify the conditions by which they were spent. This is considered to make transactions more fungible as well as enable better and cheaper privacy techniques for users, especially users deploying complex business logic using Bitcoin smart contracts.

Lastly, Taproot adds several new paths to upgrade Bitcoin[15] that may have the potential to be less intrusive than other techniques that have resulted in extensive development and review periods.

We find these upgrade paths are highly technical and outside of the scope of this paper (and likely also the average user of Bitcoin). For this reason, a takeaway may be that Taproot paves the way for new upgrades, and potentially, introduces the ability to add powerful capabilities with relatively smaller and less involved changes.

Briefly and for those interested, this potential is based on how Taproot (specifically, TapScript) implements something called OP_Success. This takes all currently disabled and unused OP codes, which are just functions that operate on data[16], and replaces them with an operation called OP_Success[17]. This could allow the community to add valuable capabilities to Bitcoin by simply introducing new OP codes in the future.[18][19]

Taproot has the potential to increase the efficiency of the Bitcoin network, improve user privacy, and introduce new applications on Bitcoin’s second layer. However, for these improvements to fully meet their expectations and challenge some existing application platforms, time and development will be required.

Bitcoin users retain the option to not participate in these new changes, and many of the benefits of Taproot depend on widespread deployment of the upgrade by users. It may also be that a significant threshold of network participation is necessary for these dynamics to have any noticeable effects at all.

Nonetheless, Taproot has successfully been activated at block height 709,632, or sometime on 13-14 November 2021 depending on your timezone. For those interested in participating or supporting this change, you can upgrade to Bitcoin Core version 0.21.1 (or later release) to enforce these rules. However, users who choose not to upgrade will continue to participate in the network and interact with others who opt for Taproot without any disturbance to their Bitcoin node. At the time of writing (November 15th), roughly 54% of Bitcoin’s network participants are enforcing Taproot.[20]

Lastly, we’d like to give a special thanks to Gregory Maxwell, Pieter Wuille, Marco Falke, Aj Towns, and Jonas Nick, along with all other developers and reviewers — too many to name — that have participated in the development and review of Taproot, ever since it was first proposed more than three years ago in early 2018.

[1] https://github.com/bitcoin

[2] https://luke.dashjr.org/programs/bitcoin/files/cha...

[3] This assumes a significant amount of users and businesses are using Taproot to a threshold where intended benefits are realised

[4] For more on this, see key aggregation, scriptless scripts and MAST structures

[5] https://twitter.com/benthecarman/status/1330638129...

[6] https://reyify.com/blog/liars-cheats-scammers-and-...

[7] https://bitcoin.stackexchange.com/questions/77234/...

[8] https://suredbits.com/introduction-to-schnorr-sign...

[9] https://en.wikipedia.org/wiki/Schnorr_signature

[10] https://en.wikipedia.org/wiki/OpenSSL

[11] Schnorr Signatures and Merklized Abstract Syntax Trees (MAST)

[12] MuSig (1, 2, DN) & Point Time-Locked Contracts (PTLCs)

[13] https://blog.kraken.com/post/10939/taproot-primer-...

[14] https://cryptobriefing.com/taproot-explained-bring...

[15] key versions, leaf versions, OP_Success, and the annex value

[16] https://en.bitcoin.it/wiki/Script#Opcodes

[17] https://github.com/bitcoin/bips/blob/master/bip-03...

[18] https://twitter.com/benthecarman/status/1332882923...

[19] https://bitcoin.stackexchange.com/questions/97258/...

[20] https://luke.dashjr.org/programs/bitcoin/files/cha...

The information contained in this document is for general information only. Nothing in this document should be interpreted as constituting an offer of (or any solicitation in connection with) any investment products or services by any member of the CoinShares Group where it may be illegal to do so. Access to any investment products or services of the CoinShares Group is in all cases subject to the applicable laws and regulations relating thereto.

This document is directed at professional and institutional investors. Investments may go up or down in value and you may lose some or all of the amount invested. Past performance is not necessarily a guide to future performance. This document contains historical data. Historical performance is not an indication of future performance and investments may go up and down in value. You cannot invest directly in an index. Fees and expenses have not been included.

Although produced with reasonable care and skill, no representation should be taken as having been given that this document is an exhaustive analysis of all of the considerations which its subject-matter may give rise to.This document fairly represents the opinions and sentiments of CoinShares, as at the date of its issuance but it should be noted that such opinions and sentiments may be revised from time to time, for example in light of experience and further developments, and this document may not necessarily be updated to reflect the same.

The information presented in this document has been developed internally and / or obtained from sources believed to be reliable; however, CoinShares does not guarantee the accuracy, adequacy or completeness of such information. Predictions, opinions and other information contained in this document are subject to change continually and without notice of any kind and may no longer be true after the date indicated. Third party data providers make no warranties or representation of any kind in relation to the use of any of their data in this document. CoinShares does not accept any liability whatsoever for any direct, indirect or consequential loss arising from any use of this document or its contents.

Any forward-looking statements speak only as of the date they are made, and CoinShares assumes no duty to, and does not undertake, to update forward-looking statements. Forward-looking statements are subject to numerous assumptions, risks and uncertainties, which change over time. Nothing within this document constitutes (or should be construed as being) investment, legal, tax or other advice. This document should not be used as the basis for any investment decision(s) which a reader thereof may be considering. Any potential investor in digital assets, even if experienced and affluent, is strongly recommended to seek independent financial advice upon the merits of the same in the context of their own unique circumstances.

CoinShares Capital Markets (UK) Limited is an appointed representative of Strata Global Ltd. which is authorised and regulated by the Financial Conduct Authority (FRN 563834).The address of CoinShares Capital Markets (UK) Limited is Octagon Point, 5 Cheapside, St. Paul’s, London, EC2V 6AA.

The CoinShares Astronaut is a trademark and service mark of CoinShares (Holdings) Limited.