This post was first published on Medium.
Taproot in BTC
Taproot is the biggest “Bitcoin” Core upgrade since 2017, supposed to improve its functionality. In Taproot, we tweak a public key P to get a new public key Q as follows:
H() is a hash function and G is the generator point. This is the same formula in Equation 4 when we link data to a signature. In this case, the data committed in Q is simply m, the root of a MAST. P is the aggregated public key of all parties.
There are two ways to spend fund locked in Q:
1. Cooperative Case: a.k.a. Default Key Spending Path
When all parties agree on the output of a contract, represented by the MAST, they can all sign together to release the fund¹. Only a regular payment transaction is needed, hiding the actual contract/MAST.
2. Uncooperative Case: a.k.a. Alternative Script Spending Path
Taproot in the Original Bitcoin
We can achieve what Taproot does using the original Bitcoin protocol, without any changes at all.
We simply use the contractless contract technique, where the contract is a MAST contract with Merkle root m. As in a general contractless contract:
- Cooperative Case: all parties sign and release the fund in a regular payment transaction tx2′.
- Uncooperative Case: if some party does not sign, we execute the MAST contract in tx2.
Taproot upgrade has taken BTC almost four years from inception to activation. It required fundamental and enormous changes at protocol level, including BIP114 (Merkelized Abstract Syntax Tree), BIP 340 (Schnorr Signatures), BIP 341 (Taproot), and BIP 342 (Tapscript).
 Intuitively, private key q = p + H(P||m). Private key p is “known” jointly by all parties. P and m are both public, thus all parties can jointly sign against q’s public key Q.
Watch: CoinGeek New York presentation, Smart Contracts & Computation on Bitcoin
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.