Understanding the important milestones of the Bitcoin protocol: Schnorr signature and Taproot soft fork upgrade


 407 total views

Multi-signatures and potentially complex script scalability that can enhance privacy are the core improvements of Bitcoin’s next fork.

Written by: Pan Zhixiong

An upgrade of the Bitcoin protocol may herald the trend of the next 3 to 5 years. Although everyone does not care about the technological iteration of Bitcoin, but pays more attention to security and mainstream acceptance, everyone will ultimately benefit from this upgrade.

The Bitcoin protocol that you identified as being technically unproactive has finally attracted a technological upgrade worthy of attention . The landmark technology upgrades in the Bitcoin protocol Schnorr Signature and Taproot have been integrated into the just-released Bitcoin Core 0.21.0 version-this is definitely worth paying attention to, because the upgrade may Affect the Bitcoin ecology in the next 3 to 5 years, especially for various application scenarios for institutional users and multi-signatures.

Of course, the current important keywords for the Bitcoin protocol are ” stable ” and ” safe “, so even after these technologies are launched, the community and ecology are usually quite cautious. There is no problem even if there is no integrated support, otherwise it may be introduced. The necessary risks and vulnerabilities.

Since this upgrade requires a soft fork to activate, the follow-up will also need to see the degree of support of the mining pool and miners for the proposal. At least for now, the mining pool and miners are quite active, with more than 90% of the computing power already Announced that it will support the upgrade.

Schnorr Signature is a digital signature algorithm named by German mathematician and cryptographer Claus-Peter Schnorr . Since it was in a patent protection state before 2008, Satoshi Nakamoto did not use this signature algorithm when designing the Bitcoin protocol. The elliptic curve digital signature algorithm (ECDSA), which was more suitable and open source at the time, was selected.

However, after nearly ten years, Bitcoin core developers believe that Schnorr Signature is the future of Bitcoin, because of its advantages in cryptographic features, which can be more convenient on the basis of almost equal (or even better) security. Constructing a multi-signature transaction in a “low-key” manner can also save a lot of space for blocks of an inch of gold .

In addition to the signature algorithm in the Bitcoin protocol, a scripting language is also designed to define how to use Bitcoin. Taproot is a new scripting language system that can make Bitcoin more powerful under the features of Schnorr Signature. In addition, it also designed the Tapscript scripting language and fine-tuned the way of spending Bitcoin-specific technical details, here Do not continue to expand.

Under the combination of these technologies, the Bitcoin multi-signature address can support a large number of multi-signature scenarios without revealing its own “multi-signature” identity. At the same time, it also has some advantages at the economic level, which can reduce transactions on the chain. Cost, especially for addresses that require high-frequency operations, can save a lot of cost .

How is the Bitcoin protocol upgraded?

Before introducing Schnorr Signature and Taproot, it is necessary to review the process steps of the Bitcoin protocol upgrade. After all, this is an event that is much less frequent than other blockchain network upgrades, and even many blockchain practitioners do not know much about it. .

Roughly speaking, the upgrade of the Bitcoin protocol is divided into six stages :

  • The first stage: everything is born from an idea or an innovative idea, and then the core developers of Bitcoin will make preliminary elaboration and discussion in the email .
  • The second stage: Submit the draft of the BIP (Bitcoin Improvement Proposal), this stage may be archived through GitHub.
  • The third stage: The core developers discuss the proposal in detail in the email, involving all technical details or possible problems and challenges.
  • The fourth stage: enter the formal development stage , and subsequent testing, and add functions to the Bitcoin core client.
  • The fifth stage: voting, and then waiting for the network to gradually activate, which is the final online.
  • The sixth stage: third-party application integration support.

If we look back on the more important protocol upgrades of Bitcoin before, we will find that the adoption rate of new features is actually not high, and it is usually only a very low rate after 3 years.

For example, the Segregated Witness (SegWit) upgrade about three years ago provided a slight expansion for the block. Using the SegWit address can reduce some transfer costs. According to data from txstats.com, the number of bitcoins currently stored in the Segregated Witness address is less than 8%. ( Data source )

In this situation, one reason is that many BTC assets may have been lost , or for large institutions to reform this system, it will cost too much, and it will also introduce some unnecessary risks. After all, safety is more important. But on the positive side, nearly half of the new transactions on the network use Segregated Witness. ( Data source )

The Lightning Network Protocol is also the Layer 2 expansion payment channel technology that Bitcoin has been iteratively updating since 2018. At present, the capacity of this network is still at a very small scale (about 1,000 BTC), which only accounts for less than 10,000 BTC. One part.

So for Schnorr Signature and Taproot, although the function has been implanted in the latest client, whether the function will be activated and how the follow-up ecology will be supported depends on the development of the next three to five years . Wallets, custodians, exchanges, and large institutions will gradually introduce them according to their own user needs, security needs, and functional needs.

Over three years of layout, led by Blockstream

When we sorted out the timeline of discussions and research on Schnorr Signature and Taproot by Bitcoin core developers, we found that it has been more than 3 years from the proposal to the integration.

Understanding the important milestones of the Bitcoin protocol: Schnorr signature and Taproot soft fork upgrade

Although Schnorr Signature is the basis for the realization of Taproot, the first proposed is Taproot-this is a set of solutions that can enrich Bitcoin scripts, originally proposed by Blockstream co-founder Gregory Maxwell in the Bitcoin core developer mailing list .

Half a year later, Pieter Wuille , another co-founder of Blockstream , proposed that Schnorr Signature replaces Bitcoin’s existing elliptic curve signature (ECDSA), through its unique “linear” characteristics, to achieve key aggregation and improve the speed of block verification.

After that, these two technologies were combined as a big plan and jointly promoted. Finally, three official versions of BIP were formed early last year and entered the development stage:

  • BIP-340 : Implement Schnorr Signature on the secp256k1 curve (Note: The elliptic curve signature used by Bitcoin was also the secp256k1 one)
  • BIP-341 : Taproot: The cost rules for the V1 version of Segregated Witness (Note: The V0 version rule was used in the previous release of the Segregated Witness upgrade at the end of 2017)
  • BIP-342 : How to verify the Taproot script (Note: This document describes the modification of some Bitcoin opcodes)

Although Gregory Maxwell and Pieter Wuille left Blockstream, most of the core participants of Schnorr Signature and Taproot are from Blockstream, except for Anthony Towns . He was an engineer at Xapo before and later joined the investment agency Paradigm.

What is the use of Schnorr Signature?

In the Bitcoin protocol, when judging whether a user has permission to use an asset, in addition to the classic “digital signature” algorithm, a cryptographic component, a concept based on ” lock script ” and “unlock script” is also constructed .

Before that, when Satoshi Nakamoto was designing the Bitcoin protocol, he needed to consider the signature length of the signature algorithm, whether it is open source, whether it has a patent, whether it has passed a long enough security verification, performance and other conditions, and finally chose the elliptic curve The digital signature algorithm (ECDSA) also selected a special elliptic curve secp256k1 under the advice of other experts.

However, the digital signature algorithm that can meet the above conditions is more than ECDSA, especially Schnorr Signature, which is no less than ECDSA in all aspects. The reason that Satoshi Nakamoto did not use it before may be because the Schnorr Signature patent was invalidated in the year of the birth of the Bitcoin white paper.

That’s right, German mathematician and cryptographer Claus-Peter Schnorr filed a related patent application in 1990 and was approved. For the open source community, this technology cannot be adopted before the patent expires, otherwise Satoshi Nakamoto will return It is really possible to adopt this signature algorithm mechanism in the first version of the Bitcoin protocol implementation.

Compared to ECDSA, Schnorr Signature is more like the Bitcoin signature algorithm should look like. The advantages of performance improvement and signature length will not be mentioned. What is more important is its ” linear ” feature, which can facilitate key aggregation instead of implementing multi-signature through other special techniques.

This “linearity” is also well understood. The participants of each key can aggregate to generate a new key through simple mechanism processing. The aggregation mechanism can be carried out in many ways. For example, Blockstream proposed MuSig and the later updated version of MuSig2 . In the MuSig2 scheme, multiple signatures can create an aggregate public key from their respective private keys, and then jointly create a valid signature for the public key, and optimize from the original three rounds of interaction (MuSig) to only two rounds The interaction can be.

Understanding the important milestones of the Bitcoin protocol: Schnorr signature and Taproot soft fork upgrade

So looking at a 2-3 multi-signature transaction, the original traditional method requires three public keys and two signatures to initiate a transaction.

Understanding the important milestones of the Bitcoin protocol: Schnorr signature and Taproot soft fork upgrade

In the Schnorr Signature scenario, on-chain transactions only require an aggregated public key and a signature, and at the same time, it can reduce a lot of transaction bytes, which means lower transfer costs .

Understanding the important milestones of the Bitcoin protocol: Schnorr signature and Taproot soft fork upgrade

Therefore, this also brings two additional advantages: privacy and super multi-signature .

Since only one signature and public key need to be exposed, it is difficult to determine whether the address using Schnorr Signature is a multi-signature address, and it is impossible to know what the composition of the multi-signature is, for external observers , This is an ordinary address.

For the previous Bitcoin script, it is necessary to expose some of the multi-signature details during the transaction, so this is why it is possible to know the multi-signature composition of the address.

Understanding the important milestones of the Bitcoin protocol: Schnorr signature and Taproot soft fork upgradeBitInfoCharts’s Bitcoin Rich List, the small mark at the back indicates the multi-signature address and the multi-signature rules

Previously, due to script limitations, it was not possible to support a large number of multi-signatures. It was also realized because of Schnorr Signature. This may open up many previously unimaginable application scenarios, such as opening a multi-signature address with a scale of hundreds of addresses to achieve more Decentralized or more diversified asset custody, etc. However, it may increase the complexity of off-chain interactions. We can only hope that these mechanisms of MuSig2 can be developed and iterated faster.

What is Taproot?

Taproot is a brand new Bitcoin script structure that defines how to use and receive Taproot transaction addresses. Its earliest concept comes from MAST (Merkel Abstract Syntax Tree) proposed by Bitcoin developers, so Taproot can be regarded as a special implementation of MAST.

Compared with the previous Bitcoin script logic, the main advantage of the MAST concept is that it can implement more diversified logic in a more private way.

Understanding the important milestones of the Bitcoin protocol: Schnorr signature and Taproot soft fork upgrade

When constructing a MAST structure, a large number of scripts can be supported. If two are taken as an example, the user can prepare a main payment script and a backup payment script in advance, and finally generate a recursive hash value of the MAST root . When using this asset, the user can unlock the main payment script, and does not expose the details of the alternate payment script, but uses its hash value.

This means that for a MAST root that contains many unlocking schemes, no matter how complex it is, the user only needs to expose one of the scripts when unlocking the asset, and more logic can be embodied by the hash value. , Without exposing any other details.

Speaking of Taproot, its essence is similar. And this requires the ” linear ” characteristic of the signature algorithm, so Taproot needs to be bound with Schnorr Signature.

Taproot is also a continuation of Segregated Witness

In the Bitcoin protocol, ” locking script ” (output script) defines the rules for how to collect bitcoin (UTXO), and ” unlocking script ” (input script) defines the rules for how to use bitcoin (UTXO). If the former is Create a lock, and the latter is a key.

During the Segwit upgrade three years ago, Bitcoin’s scripting rules underwent a large-scale upgrade. Two brand-new scripting rules P2WPKH (Pay to Witness Public Key Hash) and P2WSH (Pay to Witness Script) were proposed. Hash), that is, those addresses that start with bc1 now use one of the above script rules. P2WPKH is usually used in ordinary addresses, and P2WSH is usually used in multi-signature addresses.

In addition, in the upgrade of Segregated Witness, the concept of a version number is reserved in the script. All previous Segwit script rules have adopted V0 as the version number, so it can also be called Segwit V0. Taproot is upgraded on the Segwit framework, and the version number is upgraded to V1, which is the origin of Segwit V1 in the title of BIP 341, or this set of script rules can also be called P2TR (Pay to Taproot) to correspond to P2WPKH And the name of P2WSH.

Understanding the important milestones of the Bitcoin protocol: Schnorr signature and Taproot soft fork upgradeFor example, in a transaction, the Segwit version number in the output script is V0

It can even build a diversified multi-signature system

Under the combination of Schnorr Signature and Taproot, there are many ways to construct multi-signatures. For example, Bitcoin evangelist Steve Lee introduced two methods, namely threshold signature and Musig Keytree.

For example, for a hot wallet of an exchange, a 2-3 multi-signature may be performed through three private keys, namely ” Exchange Private Key “, ” Trusted Third Party Private Key “, and ” Cold Wallet Backup Private Key” “.

In the threshold signature, multiple signers need to use the MuSig mechanism to construct the payment address in advance; when using, aggregate the two signatures to realize the transaction.

Understanding the important milestones of the Bitcoin protocol: Schnorr signature and Taproot soft fork upgrade

By building a multi-signature in a tree structure (Musig Keytree), you can take full advantage of the advantages of Taproot and MAST. There are also three situations where BTC can be spent. One way of spending is placed outside of MAST, and the other two ways are stored in the two nodes of MAST to construct a payment address.

Understanding the important milestones of the Bitcoin protocol: Schnorr signature and Taproot soft fork upgrade

If you have the signature of the exchange key and the third-party key, you can bypass the MAST tree structure and directly generate an aggregate Taproot signature to spend the transaction.

Understanding the important milestones of the Bitcoin protocol: Schnorr signature and Taproot soft fork upgrade

Or the user can unlock the ” third-party key + cold wallet key ” script and add the hash of the script on the other side of the MAST tree to construct a Taproot signature to spend the transaction. Of course, there is a third way for users to spend, which is the same logic.

Understanding the important milestones of the Bitcoin protocol: Schnorr signature and Taproot soft fork upgrade

Compatibility: Not a big problem

Schnorr Signature and Taproot need to be upgraded through a soft fork , that is, the old version of the protocol and the client can continue to run without other adjustments.

However, nodes that have not been upgraded cannot verify the Taproot scripts of the Segwit V1 version, and will treat them as any-can-spend scripts. For those wallets that have not been upgraded, you can continue to receive and send the SegWit V0 version of the Segregated Witness address, or the earlier traditional address type (P2PKH). For some wallets that have implemented BIP 173 (Bech32 address) logic, it may be possible to support sending BTC to Taproot (Segwit V1) address.

However, the core developers still encourage everyone to upgrade to support verification of these new types of transactions.

Miners’ computing power support has exceeded 90%

Soft forks can generally be activated in a variety of ways. The previous soft forks were activated using the rules of BIP 9 , which required a large amount of computing power to signal support, and BIP 8 is also a similar rule.

So in the end, the launch of this scheme still requires miners and mining pools to vote and activate. According to the hashrate support of this Taproot soft-fork upgrade compiled by Binyin Mining Pool, the current support has exceeded 90% . Many mining pools have not publicly confirmed which specific activation rules to choose.

Understanding the important milestones of the Bitcoin protocol: Schnorr signature and Taproot soft fork upgradeSource: https://taprootactivation.com

There are still many types of activation proposals, but judging from the current voting situation, many prefer the BIP8 (false, 1y) method, that is, this soft fork will not be forced to activate. There are 1 year voting The interval is activated if the vote passes the threshold.

Understanding the important milestones of the Bitcoin protocol: Schnorr signature and Taproot soft fork upgrade

But Taproot’s ecological development speed may be slower

After Taproot is activated, the next thing is left to the downstream ecology , but this should be a longer road to popularization than Segwit.

Since Schnorr Signature and Taproot improve more scenarios related to multi-signatures, it can be expected that third-party wallets and exchanges will be more cautious. After all, this is not an immediate technical upgrade. And for those professional users , professional institutions, and even projects that rely on multi-signatures (such as cross-chain schemes) with more complex multi-signature requirements, they are more likely to be the first to eat crabs.

In any case, even if this is not a highly user-perceived technology upgrade, it will eventually achieve more diversified multi-signature, more private address types, and potentially complex logic support due to the integration of various infrastructures. , Reduce transaction costs and other aspects, which will ultimately affect all users in the ecosystem.

Source link: ChainNews