Pan Zhibiao: A brief analysis of how Taproot reduces Bitcoin contract transaction costs and improves privacy

By
YDN
-
Pan Zhibiao: A brief analysis of how Taproot reduces Bitcoin contract transaction costs and improves privacy

Loading

For Bitcoin contracts, Taproot has minimized transaction costs and maximized privacy, but it is still unable to hide the flow of funds and amounts.

Original title: “Taproot Introduction 2”
Written by: Pan Zhibiao, founder of Biyin

I wrote an article to interpret Taproot from a technical level: ” Introduction to Taproot “, this time I will interpret a few more sentences (without formula).

Contracts and contracts in life usually have the following characteristics:

  • Usually, the contract is two or more parties.
  • The parties to the contract do not absolutely trust each other. If they can absolutely trust each other, no contract is required.
  • The two parties to the contract generally assume that the other party will perform the contract with a high probability: if the other party will not perform the contract before the transaction, they may choose not to trade or use some contract terms (such as penalties) to ensure that the other party will perform.
  • A properly designed contract should allow both parties to obtain greater benefits (or less losses) in the case of performance
  • Therefore, in most cases, the contract will not be disputed, and both parties will cooperate to implement the contract terms. In this case, the terms of the contract are generally kept confidential and not known to third parties.
  • If there is a dispute (non-cooperation) in the process, it needs to be arbitrated by a third-party institution (such as a court). In this case, the terms of the contract need to be made public and available to lawyers, judges, etc.

Simple contracts can be written on the Bitcoin chain, such as n/m multi-signature mechanism, Lightning Network, etc. Blockchain contracts are usually called smart contracts.

  • All the characteristics of contracts are applicable to smart contracts, but the blockchain rules play the role of arbitration, in other words Code is Law.
  • But now Bitcoin’s smart contracts, whether it’s the original design of Satoshi Nakamoto in 2009, the P2SH that appeared in 2012, or the Segregated Witness (P2WSH) in 2017, have a common problem: whether the contracting parties cooperate or not, the content of the contract It must be fully public, that is, the contract script must be public. When spending, you must provide all the contents of the contract script for verification.
  • Disclosure of contract content mainly brings about two problems:
    • Transaction cost: Smart contracts generally require multiple signatures, plus the content of the contract itself, which takes up more block space and increases transaction fees.
    • Privacy issues: third parties can monitor blockchain data, track the flow of funds and infer the identities of contract participants through the characteristics of the contract content.

ECDSA

ECDSA is the only signature verification mechanism since the birth of Bitcoin.

  • Digital signatures are the most important means for Bitcoin to verify the legitimacy of transactions and the only standard for confirmation of rights.
  • Since 2009, Bitcoin has used ECDSA as the digital signature standard, including P2PK and P2PKH, as well as P2SH in 2012, and P2WPKH and P2WSH in 2017.
  • Bitcoin’s public/private key system is linear, so we can add multiple private keys, or add multiple corresponding public keys, so that the new private key and new public key generated are still a pair. This is the theoretical basis of HD wallet.
  • But ECDSA’s signature is non-linear, so simply adding up multiple signature results will no longer be a valid signature.
  • Therefore, Bitcoin multi-signature transactions have always required multiple signatures to be disclosed on the blockchain. The problem is the same as that of smart contracts (transaction costs, privacy issues).
  • The theoretical limit of the number of multi-party signers of 201 parties (P2SH probably only allows up to 16 parties).

Schnorr

Let me talk about the Schnorr signature algorithm.

  • The Schnorr signature patent only expired in 2008. At that time, there was no extensive open source implementation and application, so the Bitcoin born in 2009 was not used either. Satoshi Nakamoto was relatively cautious. The signature algorithm usually requires a deep mathematical foundation to be designed. A small understanding deviation or coding error can cause serious problems.
  • The public/private key system used by Schnorr signature is the same as ECDSA, so the existing private key management (such as BIP32) can continue to be used.
  • The difference between Schnorr and ECDSA is that the Schnorr signature is linear. For the same content X, if multiple private keys are used to sign each, and then the corresponding multiple public keys are added, and then multiple signatures are added, the new signature obtained will be a valid signature of the new public key to content X.
  • With this feature, there is no theoretical limit to the number of signatures. As long as all parties work together, the signatures can be added together, which looks no different from a unilateral signature.
  • The security of the Schnorr signature algorithm was mathematically proven in 2012.

Problems Solved by Taproot

Taproot is based on the Schnorr signature algorithm.

  • With the Taproot smart contract, if the two parties cooperate, not only does the content of the contract need to be disclosed, but the transaction will look no different from the simplest and most common unilateral signature transaction. That is, transaction costs are minimized and privacy is maximized.
  • If the two parties do not cooperate, the claimant still needs to disclose the content of the contract script for blockchain arbitration, and expose all or part of the script, which will be verified and executed by the node.
  • By using MAST (Merklized Alternative Script Trees), the complainant only needs to disclose the relevant parts of the contract, not all contract terms, and therefore minimize transaction costs and the impact on privacy. The contract may have multiple execution paths, and only the path that will be executed is announced.

Problems not solved by Taproot

Taproot does not hide the transaction amount, so it is still possible to estimate the flow of funds by analyzing the input and output amounts.
The Taproot address is the same as the old-style address and will be disclosed on the blockchain. If users reuse Taproot addresses, they have the same privacy issues as reusing old addresses: too much transaction information is concentrated on one address.

to sum up

In terms of privacy, Bitcoin has two major problems to be overcome. One is flow hiding, which is tricky in the UTXO system; the second is money hiding, which can be solved by a technology similar to Grin, which requires expansion of blocks or forks.

Even if the above two major difficulties have not been solved, Taproot has minimized transaction costs for Bitcoin contracts and maximized privacy. Still a significant improvement.

Source link: card.weibo.com

RELATED ARTICLESMORE FROM AUTHOR