In September 2019, Bitcoin Optech organized workshops in San Francisco and New York City on the schnorr/taproot softfork proposals. The aims of the workshops were to:
- share current thinking in the open source community about the proposals,
- give engineers a chance to work with the new technology through interactive jupyter notebooks, and
- help engineers take part in the community feedback process.
This blog post contains all of the videos, slides and jupyter notebooks from those workshops, so engineers at home can learn about these exciting new technologies.
The workshops were split into 4 sections:
- Preparation and basic math - shows how to set up the jupyter notebook environment, gives a refresher on basic elliptic curve math, and introduces tagged hashes.
- Schnorr signatures and MuSig - describes the bip-schnorr signature scheme and how to use MuSig to aggregate multiple public keys and partial signatures into a single pubkey/signature.
- Taproot - demonstrates how to create and then spend a segwit v1 output using either the key path (where a single signature is provided) or the script path (where a commitment to a single script or multiple scripts is embedded in a public key and later revealed and satisfied).
- Case studies - demonstrates some practical applications of the new schnorr and taproot technologies.
John Newbery gives a summary of why schnorr and taproot are useful technologies and explains why Bitcoin Optech created the workshop. He then outlines the workshop’s aims.
Preparation and basic math
This section shows how to set up the jupyter notebook, gives a refresher on basic elliptic curve math and introduces tagged hashes.
0.1 Test Notebook
Before starting the workshops, users should follow the instructions in the repository README, clone the workshop repository and run through the test notebook to ensure that their environment is set up correctly.
0.2 Elliptic Curve Math
Elichai Turkel provides a refresher on the basic elliptic curve math that will be required for this workshop.
0.3 Tagged Hashes
(No video) This chapter introduces Tagged hashes, which are used in both the bip-schnorr and bip-taproot proposals.
Schnorr signatures and MuSig
This section explains the bip-schnorr proposal and explains how MuSig can be used to aggregate multiple public keys and partial signatures into a single pubkey and signature.
1.1 Schnorr Signatures
Elichai explains the mathematics behind schnorr signatures and explains the bip-schnorr proposal.
Elichai describes the MuSig algorithm (authored by Gregory Maxwell, Andrew Poelstra, Yannick Seurin and Pieter Wuille), and shows how it can be used to aggregate multiple public keys and partial signatures into a single pubkey/signature.
This section explains the bip-taproot and bip-tapscript proposals. It shows the format of a segwit v1 output and how such an output can be spent in a key path spend or a script path spend. It demonstrates how a tweaked public key can commit to one or more scripts, and how the segwit v1 output can be spent using one of those scripts.
2.0 Introduction to Taproot
James Chiang gives an overview of the bip-taproot and bip-tapscript proposals. This notebook demonstrates how we’ll create transaction outputs, then spend them and verify that the spend is valid.
2.1 Segwit V1
James shows how to create segwit v1 transaction outputs and spend them using the key path spend.
James explains what a key tweak is, and how a tweak can be used to commit to arbitrary data.
James discusses how we can commit a tapscript in a segwit v1 output by using a taptweak, and how we can spend that output using the segwit v1 key path spend rules. He also explains the differences between tapscript and legacy bitcoin script.
James shows how a merkle tree of scripts can be constructed, and how we can commit to that tree using a taptweak. He then explains how to spend the output by satisfying one of those scripts and providing a proof that the script was part of the committed tree.
2.5 Huffman Construction
(No video) This bonus chapter shows how to most efficiently construct a tree of scripts by placing scripts that are more likely to be spent closer to the root of the tree.
This section gives demonstrations of how the new schnorr/taproot technologies can be used to build advanced Bitcoin services and products.
3.1 Degrading Multisig
(No video) This chapter demonstrates a degrading multisig wallet. In all cases, the output can be spent with a subset of the ‘live’ keys, but after some timeout, the output can be spent with a mixture of ‘live’ and ‘backup’ keys. Taproot allows multiple spending paths to be committed to, and only the one that is exercised is revealed on chain.
John concludes the workshop by explaining how you can get involved in the community feedback process for these proposals.