Author: Chris Belcher 2018-01-23 01:55:07
Published on: 2018-01-23T01:55:07+00:00
A new construction called Taproot has been proposed by Gregory Maxwell, which allows the largest possible anonymity set for fixed party smart contracts. This is achieved by making them look like the simplest possible payments with no overhead in the common case. The special case of a top-level "threshold-signature OR arbitrary-conditions" can be made indistinguishable from a normal one-party signature, with no overhead at all. With sufficient adoption, coinswap's anonymity set could be much higher, potentially including almost every other on-chain transaction. Merkelized scriptPubKeys (e.g. MAST) are being used to drive interest in efficiency and privacy. Hiding unexecuted code leaves scripts indistinguishable to the extent that their only differences are in the unexecuted parts. There is no need to make a trade-off as the Taproot consensus rules would allow this script to be satisfied by someone who provides the network with C (the original combined pubkey), S, and does whatever S requires. This composes just fine with whatever other merkelized script system we might care to use, as the S can be whatever kind of data we want, including the root of some tree.The verification computational complexity of signature path is obviously the same as any other plain signature. Verification of the branch redemption requires a hash and a multiplication with a constant point which is strictly more efficient than a signature verification and could be efficiently fused into batch signature validation. The nearest competitor to this idea would support a simple delegation where the output can be spent by the named key, or a spending transaction could provide a script along with a signature of that script by the named key, delegating control to the signed script.
Updated on: 2023-06-13T00:05:46.849117+00:00