What is Schnorra’s signatures? What is Taproot?

Schnorra signatures scheme is a digital signature scheme that allows you to increase the confidentiality and scalability of the bitcoin network.

Who and when invented Schnorra’s signatures scheme?

Shnorra signatures scheme and Taproot technology are proposals for improving the BIP-340 and BIP-341 bitcoin protocol. January 21, 2020, the developer Peter Velle included in the request for the adoption of changes for the software.

Schnorra’s signatures scheme were proposed in 1991 by a German cryptograph, professor at the University of Frankfurt Claus-Peter Shnorr.

The scheme proposed by Schnorr is a modification of El Hamal schemes (1985) and Fiat Shamami (1986), but has a smaller signature size, and also uses the developments of the cryptographer David Chauma.

Before publishing the scheme, Shnorr received a number of patents on it, the validity of which expired in 2008, when Satoshi Nakamoto presented Bitcoin. Shnorra’s signatures at that time could already be used, but they were not standardized and did not become widespread.

When Nakamoto created bitcoin, he had to choose one of the existing signatures schemes. He needed easy to use and safe open source algorithm. ECDSA met these requirements. ECDSA predecessor, DSA algorithm, was a hybrid of the SHNORR scheme and the El Hamal scheme and was created to bypass the patents of Schneorra.

ECDSA in Bitcoin has become faster and more efficient thanks to the works of Peter Well and his colleagues, who created an improved elliptical curve, SecP256K1.

ECDSA has separate drawbacks, and the developers were looking for an alternative. The first discussions of the possible implementation of Shnorra’s signatures on the Bitcoin network took place in 2014, and a few years later, developer Peter Velle published Schnorr Bip.

What are the key technical features of Schnorra’s signatures and their advantages over ECDSA?

Like ECDSA, Schnorra’s signatures use the task of discrete logarithming. The advantage of Shnorra’s signatures is that they use fewer assumptions and have reliable formal logical evidence: their safety is easy to prove when using a model of random oracles and a rather difficult task of discrete logarithmic in the Elliptic Curve Discrete Logarithm, ECDLP).

Shnorra signatures are a more transparent applied technology with which it is easier to work cryptographers.

Shnorra’s signatures are proved by inflexible, while the ECDSA signatures are flexible, which gives a third party that does not have access to a closed key, the ability to change the existing actual signature and make a double waste.

A significant advantage of Shnorra’s signatures is the linearity property realized by linear mathematics.

Shnorra’s signatures are linear in the sense that they can be the subject of adding or subtraction. The result of such operations is a real signature corresponding to the same complexity (or subtraction) of open keys. In the case of ECDSA, such a scheme does not work – subtracting or adding such digital signatures does not make sense.

The property of the linearity of Schnorra’s signatures allows you to aggregate keys and signatures. Aggregation means the possibility of combining several open keys in one so that all sides are required one signature. Through the addition of the keys of several inputs, they can be aggregated in a single signature consisting of partial signatures of all signatories.

The equations below illustrate the aggregation process that is possible due to the property of the linearity of Schnorr’s signatures. No one except the participants knows that three people are behind one open key/signature.

In multi-submarine transactions, M-Iz-n partial signatures are known as threshold signatures. As the schedule shows below, in the multi-Iz-5 cartoon, we have m = 3 signatures (from n = 5) as part of the transaction inputs.

Mi-Iz-n multi-subscription transactions are needed at least m signathers and verification of each signature. To confirm the possession of the UTXO multi -subscription key, a release script scriptsig should contain the number m signatures ECDSA. The size scriptsigs It grows linearly in accordance with the number M signatures, which increases the size of these transactions (and the sum of transaction commissions).

In addition, the observer will know that A, B and C have signed a transaction, and will be able to identify the submissive scheme used.

Using Schnorra M signatures, signatures are aggregated in a single signature. As soon as open keys and threshold signatures are provided, the transaction is authorized and looks like an ordinary P2PKH transaction.

Schnorra signatures allow you to create only one signature for all ms. The release script will have one signature, which is the unit of all the signatures of the participants.

The observer will no longer be able to connect the signature of transactions with one person, many people or threshold number of people. Although the addresses and amounts in transactions are still available for general review, Schnorra’s signatures make it difficult to use the technology of identification prints of the wallet/scenario of use.

Reducing the size of the transaction and increasing the speed of verification

By its size, Schnorra’s signature is 11% less than existing signatures that occupy approximately 70–72 bytes in transactions. Since they occupy less space in the blockchain (their fixed size is 64 bytes), this allows you to reduce the size of the transaction and reduce the commission.

Also, if the Bitcoin transaction contains many inputs, each of them needs a separate signature. For the transaction of bitcoins controlled by many signatures, each signator must put an separate signature of ECDSA. These signatures are confirmed individually. To effectively verify the signature group, it is necessary to use mathematical calculations.

Thanks to the signatures of Shnorra, all the entrances will need only one combined signature. Inclusion in the transaction of one signature gives additional opportunities for other transactions. Reducing the size of transactions for multi -subscription transactions allows you to reduce commissions. Aggregation of keys allows you to refuse to verify each individual entrance and accelerate the confirmation process.

It is more difficult to create a compact multi -signature with ECDSA, since such signatures are encoded according to the DER standard, unlike Schnorr’s signatures, the encoding of which requires smaller space.

How the Schnorra signatures scheme will be introduced?

BIP-340-standardization of Schnorra’s signatures, which allows them to integrate them into the Bitcoin protocol.

The update itself does not cause objections among developers. They consider this scheme the best of the existing ones, since its mathematical properties provide a high level of correctness of calculations, it is resistant to plasticity and relatively fast in terms of confirmation of transactions.

If the signatures of Schnorra are implemented, an ordinary user will not actually notice their appearance (with the exception of one symbol in Segwit addresses). Shnorra’s signatures will not replace ECDSA in bitcoin – both schemes will coexist.

What is Taproot (BIP-341)?

Taproot (BIP-341) is the second part of the proposal that includes SHNORR/Taproot/Tapscript. If the Schnorra scheme offers a new type of signature, then Taproot expands their functionality, representing a new version of the transaction output and a new way to determine the conditions of expenditure.

Who invented Taproot and when?

Taproot technology was designed and proposed by the developer of Bitcoin Core and the former CTO of Blockstream Gregori Maxwell .

In April 2018, the mathematician Andrew Elepera published mathematical evidence of security (Security Proof). In July of the same year, XAPO engineer and Bitcoin Core developer Anthony Towns proposed a solution that allows you to increase the amount of data used by Taproot.

On May 6, 2019, Peter Velle published proposals to improve the Bitcoin protocol, in which he presented Taproot updates in conjunction with Schnorra and Mast signatures. For the implementation of updates to the Bitcoin code base, Velle proposed to conduct a software.

January 21, 2020, Velle included Taproot in a request for changes for the next software.

The Schnorr/Taproot Proposal is Now Published as Bips 340, 341, and 342; See https: // t.Co/33uulyo8ra

Note that the Assignment of BIP Numbers is not Any Kind of Stamp of Approval; Its Means The Process Was Followed (Which Includes Some Amount of Public Discussion).

– Pieter Wuille (@pwuille) January 24, 2020

What are the possibilities of Taproot?

If Schnorra’s signatures allow multi-subscription transactions to look like standard (Pay-to-PUBLIC-KEY-HASH) transactions, then TAPROOT in combination with Schnorra’s signatures expands such opportunities, increasing the group of transaction types that can be applied with standard:

• Using P2PKH and P2WPKH, T.e., single expenses;
• N-Iz-N spending with MUSIG or equivalents (similar to the current use of P2SH and P2WSH 2-Iz-2 multi-signatures);
• K-Iz-N (for the minimum values ​​n) using the most common K signathers;
• closing channels on the Lightning Network network, atomic swaps and other protocols that can sometimes lead to the fact that all parties agree with the result.

These four categories of use scenarios represent most bitcoin transactions today. Regardless of the complexity of the contract, Taproot allows you to give a joint result in the blockchain type of expenses of one key.

The remaining scripts displaying other results of the contract are not added to the blockchain, so that the space for more complex transactions is released in a particular block.

How Taproot works?

Understanding Taproot requires a preliminary understanding of the MAST solution.

MAST technology (abstract syntactic tree based on the tree of the measure) was proposed in 2016 by the developer Johnson Lau.

MAST offers the use of a new program-seeker and, using a tree, Mercla decodes mutually exclusive branches in the script.

The tree of the measure is the structure of data; The term “tree” describes the structure of its branches. Typically, the tree of the measure is depicted, as in the graph below: the root is at the top, the leaves are in the lower part of the graph.

With the help of Mast, you can create complex contracts with many different specifiers. Only the script is opened, which saves space in the blockchain and allows you to implement more complex scripts/contracts.

The tree of the measure is created through individual hashing of each script in order to obtain a short unique identifier. Further, each identifier is united with another identifier and is drunk again, creating another short unique identifier for this pair.

This process is repeated and continues until only one identifier, called the root of Mercla (address = hash (1.2) on the graph above), which uniquely identifies the entire data set in several bytes. The root of the measure can be considered as a “safe” for coins.

Unlike Pay-to-Script-Hash (P2SH), Mast allows you to structure a lot of expenditure in the tree in the tree. In this case, only the fulfilled conditions are revealed: with the help of the root and wood of Mercla, it is confirmed that the condition is in the tree of Mercla. The rest of the tree remains hidden.

For example, if we have a complex script, which says that the party cannot spend its coins before the expiration of the period per month (Timmoks), or coins can be spent using a 3-from-5 multi-subscription transaction, both conditions will be disclosed as soon as coins will be spent (such a scheme is now working in bitcoin).

MAST gives the following opportunity: if any data in the tree is disclosed, then the root of the measure and a number of additional data (called by measured) can be used to confirm that specific data were included in the Mercla tree. The rest of the tree (and, accordingly, other conditions) remain hash and hidden. This means that subject to the consent of all participants, it is necessary to disclose only the fulfilled condition.

Complex contract users can create smaller transactions, and the gain in efficiency is larger in the case of more complex contracts with a large number of subclarus. Mast, unlike any other existing mechanisms, allows you to have many additional branches, which allows you to create more advanced smart contracts without additional cost, which would burden bitcoin nodes.

In the illustration above Alice, it can even add a longer a chain of beneficiaries to the MAST structure, without changing the number of bytes used. The size of the commissions does not increase, since it still spends its bitcoins using only 32 bytes. At the network level, blocks will be able to process a larger number of complex transactions.

The flaw is that by default to maintain the proper level of privacy, everyone is forced to use the structure of Mast. The upper branch of the tree is always visible, and observers can understand that there are other expenses. In addition, the load on most transactions that do not need an additional script increases, which leads to an increase in their value.

Mast is still not intended in bitcoin, since the changes necessary for this are too complicated and can lead to consequences that are not easy to calculate. A possible solution to the problem can be a Schnorr/Taproot/Tapscript solution package, since it acts as a golden mean between simplicity and additional functionality.

How Taproot improves Mast?

Taproot offers its own version of the tree of the measure, called the tree of the script. Participants can choose a spending using:

• public key in the quality of the usual signature;
• consumption using a script.

In the first version, this is the default spent path, where single or multilateral public keys are indistinguishable.

In the second case, hidden scripts are not disclosed until a waste has been spent. Different scripts can be organized into a tree of measured, and the outputs can also be spent by opening one of the specifics.

If we spend the transaction using the primary script of the expenditure, we simply give proof of the measure, which consists of the primary script of the waste and the hash of the alternative script of expenses – this is enough to confirm that the primary script of the expenditure is contained in the slice tree.

Taproot uses Mast structure to hide the conditions standing outside the root. The root itself is measured in this script and allows you to carry out direct expenses through the key. Only a single key is sent to the blockchain – no one sees that there are additional conditions.

In combination with Schnorra’s signatures, the Mast structure is hidden thanks to Taproot outputs. In the upper part of the tree, there is an option to publish a single public key and signature. As a result, the transaction P2PKH and P2SH look identical.

The illustration can be the closure of the Lightning channel.

Lightning channels are variations of the multi-Iz-2 multi-signature. Instead of closing the transaction using a bulky script, Schnorr allows you to combine signatures and present in the form of an open key/signature Taproot. When both sides agree, the result looks like someone spent this output using a regular signature, sending two addresses. The observer will not be able to determine that this is a Lightning channel.

Tapbranch is a script tree for closing the Lightning channel

To hide the structure of Mast, the hash Tapbranch on the graph above is drunk using an aggregated public key (thanks to the Schnorra Alice and Bob scheme, their public keys can add to create the internal key Taproot).

The resulting hash is used as a closed key, from which another changed public key is displayed. Changing keys, also known as concealing a pair of keys, includes embedding scripts 1 and 2.

Further, the altered public key is added to the internal key Taproot to create a Taproot release key. The process is illustrated below:

As was said, there are two expenses. The default spent path is when Alice and Bob agree to close the Lightning channel, and the Taproot exit key guarantees that the transaction looks like a standard transaction P2PKH. In other scenarios, the script used is revealed as soon as the coins are spent, while all other options remain hidden.

In the above example, if Alice and Bob agree to make a Lightning board, they can jointly combine Shnorra’s signatures, create a main public key, add signatures together and create the main signature.

Both sides put partial signatures using their individual keys, and the closing of the Lightning channel looks like a direct payment to a public key.

In the case when closing is incompatible, only the script used is revealed. Verifying will be able to determine that the threshold public key was changed through the root of the measure. However, all other options/scripts will remain hidden.

The schedule above shows that the script tree offers a new recovery option to get access to bitcoin. Taproot provides a recovery option for lost coins (for users with updated wallets). If a single key is lost, it is lost irrevocably. If the user loses the closed key, and his funds are in the form of Taproot output, then there must be another path through which you can declare the rights to coins (for example, restore reserve keys of 3-Iz-5, which are held by the user’s relatives).

Taproot increases the degree of privacy, efficiency and flexibility of bitcoin scripts, allowing developers to write complex scripts, while minimizing the effect on the blockchain.

Complicated transactions can significantly save on commissions, since the scripts requiring the processing of a large amount of data should no longer pay commissions, the amounts of which exceed the amounts of commissions in the standard transaction Pay-to-PUBLIC-KEY-HASH. The more complicated the transaction, the higher their effectiveness.

Since Taproot allows complicated transactions using just one signature, the number of bytes used for aggregated keys and signatures does not change depending on the number of signatures. When using the Witness-Script-Hash (P2WSH) multi-signed, each additional public key adds 8.5 bytes, and each additional signature is approximately 18.25 bytes.

From the point of view of the privacy of Taproot, it allows you to minimize information about the flow conditions for the release of the transaction, which is revealed in the blockchain. Thanks to Taproot, most of the applications can use the product -based product path whose confidentiality is protected.

Although the Schnorra scheme allows multigent subscription transactions to the visibility of conventional transactions Pay-to-Public-Key-Hash, Taproot expands the circle of transactions that can be given the visibility (make Pay-to-PUBLIC-CEY-HASH and PAY-TO-SCRIPT-HAS ).