Author: Russell O'Connor 2019-05-21 17:20:32
Published on: 2019-05-21T17:20:32+00:00
The Tapscript specification calls for the final value of the stack to be a single non-false value, which may be altered to require an empty stack upon completion. This change could remove a potential malleability vector and simplify development of Bitcoin Script, allowing two policies to be implemented with simple concatenation of Bitcoin Scripts. The conjunction of policies can be implemented with taproot's ability to form the disjunction of policies by having multiple Merkle branches, making it easy to translate a policy written in disjunctive normal form to a taproot of tapscript. The developers of miniscript are better equipped to comment on whether this intuition is correct. Scripts under the old one element rule can be translated to the new rule by adding an OP_VERIFY operation to the end of the script. Even if the empty stack rule is not implemented, requiring the last element to be 0x01 would remove a potential malleability vector and align it with MINIMAL_IF semantics. On May 6, 2019, Pieter Wuille proposed a Taproot softfork with several ideas included such as making all outputs and cooperative spends indistinguishable from each other, hiding unexecuted branches in scripts using Merkle branches, using Schnorr signatures to enable key aggregation/thresholds within one input, improving signature hashing algorithm, replacing OP_CHECKMULTISIG(VERIFY) with OP_CHECKSIGADD to support batch validation, using tagged hashing for domain separation, and offering extensibility through leaf versions, OP_SUCCESS opcodes, and upgradable pubkey types. The BIP drafts include transaction input spending rules and changes to Script inside such spends, and a Schnorr signature proposal. An initial reference implementation of the consensus changes, plus preliminary construction/signing tests in the Python framework are found on https://github.com/sipa/bitcoin/commits/taproot.
Updated on: 2023-06-13T18:39:30.232006+00:00