Bitcoin Taproot Upgrade: Changes to Transaction Privacy

By Kane

Bitcoin Taproot has been activated at block 709632 as a new soft fork. Introducing Schnorr signature scheme, MAST (Merkelized Alternative Script Tree) and TapScript into Bitcoin, Taproot integrates new features that will improve flexibility of smart contracts on Bitcoin while providing transactions with stronger privacy through unifying locking scripts.

1. Introduction of Taproot Privacy

Through uniting operations like single-sig scripts, multisig scripts, complex contracts and flash network channels into the same locking scripts, Taproot brings better privacy for transactions.

Towards P2TR (Pay-to-Taproot) locking script，we have two ways to unlock it:

（1）Key-Path: Unlock the P2TR locking script through the corresponding private key to its scriptPubkey

（2）Script-Path: Unlock the P2TR locking script through script contained in MAST

We can choose Key-Path, and so can we choose Script-Path to unlock the same P2TR locking script. Benefiting from Schnorr signature algorithm, Key-Path allows off-chain n-of-n multisig or single-sig and then the merged signature, as witness, will be used to unlock the P2TR locking script. Multi-signing via Schnorr protects privacy of the transaction, and when unlocking it via Script-Path, unused scripts in MAST maintain their privacy. Furthermore, we can construct m-of-n multisig with MAST.

2. Analysis on Taproot Privacy

Is it true that Taproot can protect privacy? The answer is YES! With exquisite design as Taproot is, we cannot distinguish transaction’s category only from P2TR address type, to identify whether it’s individual single-sig, multisig or other complicated contracts. However, in the short run, Taproot is not necessarily to bring substantial improvement on transaction privacy.

We know that blockchain data tracking and analysis softwares often apply heuristic methods to classify UTXOs (wallets), and they will categorize UTXO anonymity sets with similar features into the same one category as possible while to be as different as possible from other disparate UTXO anonymity sets. So, for the same kind of UTXO anonymity sets, the bigger an anonymity set is (i.e. the more UTXOs included in it), the more private it is.

Taproot introduces a new address type, P2TR (Pay-to-Taproot), which is easily distinguishable from existing address types. Therefore, when Taproot is activated, as most UTXOs are still other address types, the first P2TR users will be put into a very small anonymity set with the others using P2TR. Smaller anonymity sets will be easier for blockchain analysts to trace funds across the blockchain.

For example, after Taproot was activated, only platform A in the market first supported the P2TR address, whereas other HD wallets and platforms didn’t support it yet. When we analyze the on-chain transactions, the P2TR address X of one transaction is very likely the address of platform A, so, we analyze on-chain behaviors of P2TR addresses on platform A and compare them with P2TR address’ behaviors , we can further confirm the relationship between this address and platform A, and consequently through platform A we can acquire information about this address as much as possible. But P2PKH addresses make it harder to analyze.

Of course, with more and more infrastructures supporting P2TR and more users using it, the P2TR anonymity sets will be larger and thus P2TR can enhance privacy. It is worth noting that since the activation of Segwit V0 in August, 2017, the on-chain share of Segwit V0 transactions is not as high as expected. We learned from the BTC outputs in the last year that P2WPKH outputs accounted for 18.724% of total transaction outputs, P2WSH was 1.682% while P2PKH and P2SH were 37.568% and 41.035% each.

3. Analysis on MPC Privacy

P2TR is an exploration of privacy improvement for the Bitcoin system, but is there any other more common privacy protection solution which supports multiple blockchain systems? Actually, yes. MPC, not only a universal multisig solution, but also a privacy protection scheme.

Secp256k1 signature algorithm is achieved via MPC protocol, eliminating single point of failure caused by a single private key, also realizing m-n multisig wallet management. The specific MPC multisig process is as below. Solving potential problems in multisig in signature algorithms can bring better multisig versatility and privacy. If the blockchain system adopts Secp256k1 signature algorithm, then deploying MPC protocol can carry out multisig wallet for this chain system. And for wallet format, MPC wallets and wallets with a single private key share the same wallet address format which means it’s hard to differentiate wallet addresses.

For BTC privacy, we can manage P2PKH and P2WPKH addresses with MPC protocol (P2PKH and P2WPKH outputs accounted for 56.292% of total transaction outputs altogether in the last year) as bigger P2PKH and P2WPKH UTXO anonymity sets can bring stronger privacy. For ETH, MPC multisig wallet addresses are the same as common EOA account addresses. Compared to ETH contracts, multisig wallets have better privacy, lower transaction fees and other advantages.

Currently, Safeheron has achieved MPC protocol using Secp256k1 and Ed25519 signature algorithms, which supports universal multisig management for most public blockchain wallets. Equipped with a robust Safeheron policy engine, you are the one in total control of every fund flow.

4. Comparison on Privacy of Taproot and MPC Wallet Management

References

• https://braiins.com/blog/explain-like-im-not-a-developer-taproot-privacy

• https://bitcoinops.org/en/preparing-for-taproot/#is-taproot-even-worth-it-for-single-sig

• https://river.com/learn/terms/p/pay-to-taproot-p2tr/