So how does Taproot solve part of this problem?
Taproot introduced three individual BIPs:
-Schnorr Signatures (BIP 340)
-Taproot (BIP 341)
-Tapscript (BIP 342)
Discussion
In this thread, we’ll just focus on Schnorr Signatures (BIP 340), as they are the main contributor to the privacy benefits.
Until November 12th, 2021 (block 709,632), ECDSA was the only signing algorithm that Bitcoin used.
However, on that day, Taproot was activated, which allowed for the use of Schnorr signatures.
Schnorr signatures offer many advantages over ECDSA, including space and fee savings.
But the most significant advantage offered by Schnorr signatures is key aggregation.
Here’s a quick explanation of key aggregation:
1/
Imagine you have a special toy box that can only be opened with a magic key.
You and your friends each have your own magic key, and when you want to open the toy box together, you need to use everyone's magic keys.
2/
Now, imagine there's a new way to open the toy box.
Instead of carrying all the magic keys separately, you can mix them together to make one big magic key.
This big key can open the toy box just like all the little keys could, but now it's easier to carry and use.
3/
Key aggregation is like making that big magic key.
People have special codes (keys) that they use to show they agree on something, like moving bitcoins.
Key aggregation lets them mix their codes together and make one big code that works the same way.
Essentially, key aggregation is a way for multiple parties to combine their public keys/signatures into a single public key/signature.
The privacy implications here are mind-blowing.
With Schnorr Signature key aggregation, multi-sig outputs look exactly the same as single sig outputs on-chain.
This makes it impossible for chain analysis firms to distinguish between multi-sig and single-sig spends.
*evil laugh*, cypherpunks win again, Monero shills in disbelief, etc..etc..
Schnorr sig aggregation is also a huge improvement to the Lightning Network.
The LN relies on 2-of-2 multisig transactions for channel opening.
With Schnorr aggregation, LN channel opens will look exactly the same as any other single-sig output on-chain.
And since LN channels inherit the privacy of the UTXOs used to fund them, this will be a huge improvement.
So can we use key aggregation today?
A draft BIP was just submitted to the Bitcoin Core repository.
https://twitter.com/real_or_random/status/1640337134199640065
The BIP still needs to be tested, but once approved by consensus, the community can begin to activate it.
The activation will ultimately be decided by the nodes on the network.
We hope to see key aggregation in the wild soon!
