Author: Greg Sanders 2018-01-23 15:43:59
Published on: 2018-01-23T15:43:59+00:00
The email thread shared on the bitcoin-dev mailing list discusses the interest in merkelized scriptPubKeys for efficiency and privacy purposes. The idea is to make fancy contract use cases as indistinguishable as possible from the most common and boring payments so that anonymity set of fancy usage can be larger in practice. One suggestion has been to include a dummy branch for the rest of the tree in ordinary checksig-only scripts, but this would add an additional 32-byte overhead. However, Gregory Maxwell proposes a special delegating CHECKSIG called Taproot which can make the special case of a top-level "threshold-signature OR arbitrary-conditions" indistinguishable from a normal one-party signature with no overhead at all. The construction allows the largest possible anonymity set for fixed party smart contracts by making them look like the simplest possible payments. It does not require invoking any sketchy or impractical techniques, requiring extra rounds of interaction between contract participants, or durable storage of other data. The verification computational complexity of signature path is obviously the same as any other plain signature, and the verification of the branch redemption requires a hash and a multiplication with a constant point which is strictly more efficient than a signature verification and could be efficiently fused into batch signature validation.
Updated on: 2023-06-13T00:06:24.281564+00:00