Author: Jonas Nick 2020-02-10 16:28:32
Published on: 2020-02-10T16:28:32+00:00
A group of anonymous developers have raised concerns about the Taproot upgrade to Bitcoin and its benefits compared to simpler alternatives, as well as the development process. They question whether Taproot is actually more private and cheaper than bare MAST and Schnorr separately, and whether it is riskier given the new crypto. The group also questions the wisdom of trying to include a bunch of features into Bitcoin all at once, instead of embracing incremental improvements that can work together.In their second email, the group proposes an alternative deployment path for the Taproot family of changes, which involves separate soft-forks for Merkle Branch Witnesses based on Taproot, and for Schnorr Signatures, followed by a separate soft-fork enabling Taproot and Graftroot. They believe this is a more conservative option, allowing for real-world protocol engineering experience to see if the Taproot frequency of use assumption holds.The group's third email proposes modifying Taproot's specification in BIP-341, with a Taproot Public NUMS Optimization that adds a rule to attempt hashing a single element on the witness stack to see if it is equal to the witness program, before trying signature validation. If greater anonymity is required, a NUMS point can still be used in Taproot, but only when a single-use nonce can be sent.The developers argue that Taproot's efficiency presupposes specific use cases and probability distributions which may not necessarily be representative of the actual use of script paths. Furthermore, they suggest that if one doesn't want to use a Taproot top-level key, they would need to use a NUMS point, which increases costs for those who don't want Taproot. The group also raises questions about privacy, suggesting that a semi-randomized MAST structure could provide more privacy than Taproot. They also propose allowing the witness type to be either a MAST hash or a schnorr key. Finally, they suggest using a P2SH-like semantic to evaluate delegated scripts rather than adding a fancy delegation mechanism in Bitcoin.
Updated on: 2023-06-13T23:33:30.132124+00:00