Topic: Taproot proposal - page 21. (Read 11516 times)

I guess for you it has a completely different meaning and I can sympathize with your mood. Let Coindesk be Coindesk, what can we expect from a media company which completely dismissed bitcoin for almost 4 years in favour of the infamous Blockchain Technology?
Like everyone they had to put their heads down and recognize that the only thing that matter is, of course, bitcoin.
 

The malicious lie underpinning this question was already addressed here: https://np.reddit.com/r/Bitcoin/comments/jwgbu0/mining_pool_operators_independent_miners_i/gd46yy1/

That isn't true. Coindesk ran an article saying that binance pool was the only top-5 mining pool that hasn't made a public statement of supporting it, I'll never stop being surprised at the level of dishonest narrative spinning that happens in this "industry".

Are we going to see new P2TR address format with this Taproot proposal update or there is no change for this and we keep well know formats?

No wonder that Binance pool is rejecting Taproot, and they are now one of the largest mining pool.

Luxor says count me in. Another mining pool has joined the race and will be activating the Taproot upgrade through BIP9.
With this a total of 6 mining pools have already signalled towards activating Taproot.

I'm working under the impression they're treating it like any other software update.  Some will opt to do it sooner, some a bit later.  I don't get the sense there are any political motivations involved in the decision.  More a question of simply when it's convenient timing to upgrade.

I could be wrong, but I think it might just be a case of people expecting drama when there may not be any.

AntPool signaling BIP8 like SlushPool, that's some news now! Perhaps, I've been too critical a few weeks ago when I was expecting some skirmish from miners regarding the upgrade. If that's the pace of miners activating Taproot we should get there in a reasonable amount of time.
Some of them eventually had to recognize which is the one and only bitcoin that rules.

Bitcoin mining pools representing over 54% of the network’s current hashrate have signaled support for the scaling and privacy protocol upgrade Taproot, merged into Bitcoin Core last month.



https://www.coindesk.com/bitcoin-miners-taproot-schnorr-support

Another Chinese pool, F2Pool, has started to signal for activation as well. One of the largest pools with BTC.com, part of the mining cartel.

It might be a smooth process without any drama and politics, but Slush's BIP8 for insurance.

 Another summary from BTC Times:

Mining Pools Poolin, Slush & BTC.com Announce Support for Taproot


Also nice link to https://taprootactivation.com/

From another perspective 2 of them (Poolin & BTC.com) are 2nd & 3rd with biggest hashrate, which is good start IMO.

That's a small start: currently, those three pools contribute an overall of 25% of global hashing power. By the way, BTC.com is from Bitmain.
It's interesting to notice the already very different approaches of the first three pools signaling the upgrade:

• Poolin - BIP9 (the same BIP for SegWit that went through tough times where the upgrade need to be activated before a specific time reaching a set threshold)
• Slush Pool - BIP8 (UASF that would also activate the upgrade at a specific future date or block height no matter the threshold reached)
• BTC.com - BIP8 + BIP9

Let's see when other pools join the party.

 

There are three mining pools which have started to signal support for Taproot/Schnorr activation. Poolin, Slush, and BTC.com.

BTC.com? Isn't that Roger Ver's pool?

Tracker, https://taprootactivation.com/

Schnorr without taproot isn't really that useful: it makes it simpler and safer to write threshold signatures but that's it-- you can already threshold signatures using burdensomely complicated client software.  And threshold signatures by themselves don't even do that much-- they let you make signatures somewhat smaller but only when you don't need to be able to tell which parties signed.   It's better --- but perhaps not worth the trouble of a consensus change by itself.

Taproot without schnorr isn't really that useful: without threshold signatures, which are burdensomely complex to write software for without schnorr, it only lets you have a single party key at the top (which is pretty useless.)

There is a third logical part of taproot,  which is the merkelized script. This part is probably the most useful of the three on its own, but it's much more useful in combination.  With it you can use trees of N of Ns to make thresholds work usefully even when you need to be able to tell which parties signed, and  N of Ns are much easier to deal with than arbitrary thresholds, because the latter requires interactive secret key generation.

In order to have the property where arbitrary complex scripts are normally indistinguishable from one-of-one payments you need all three.  They also can't just be independently implemented: taproot changes the pubkey that goes into schnorr verification to commit to the merkelized script.

There were other techniques proposed, including graftroot (allows you to add scripts to an output after someone has already paid to it), and improved signature flags--  but those were possible to implement independently without leaving the rest not very useful.  There were also a number of next steps like signature aggregation which would have been best implemented in combination but were still left out because the three main features of the taproot bip were still useful without it.

Looks like all the new testing is done with the python framework. I'll prod Pieter to add old style vectors.

They are over here: https://github.com/bitcoin-core/qa-assets/blob/master/unit_test_data/script_assets_test.json

Am I getting it wrong thinking that "schnorr" is just an improved way of doing EC signatures, while "taproot" is an extension to the scripts interpreter?

Because reading some publications (and this forum topic), one could get an impression that schnorr and taproot are synonyms, whilst for me they are two different features. Although, I understand that they are planned to be deployed and activated together.

I only found test vectors in bip340_test_vectors.csv - but they seem to be only checking sign_schnorr() and verify_schnorr() functions.

Are there any new test for entire scripts and transactions?

Some Bitcoin tumblers and Wasabi/Samourai should start developing/testing, and see what they can build for "offchain mixing". I believe that could give a lot of users a very valid reason to start using Lightning.

There are vectors at https://github.com/bitcoin/bitcoin/pull/19953/files#diff-6794e4c8edce5f4dd1a21181a91f0c166f34c876809e40f015e5926ee3d6a126

Will there be any taproot related tests added to the src/test/data ?

Of course, and that's actually a very elegant way to put it. Thanks gmaxwell, keep contributing here for us to really get into all-bitcoin-tech-things. And, really, thank you both for your two posts as now I believe I have a much clearer picture regarding what Taproot activation would mean. Thank you so much!

Terminology danger!

Signature aggregation refers to the case where the verifier (the blockchain) knows a bunch of different pubkeys and you prove that they all approved a transaction using a single aggregated signature.  This is the often talked about thing that taproot doesn't include that would help make multi-input transactions much smaller.

Threshold signatures and _key_ aggregation are where some participants cooperate to produce a single key which some threshold of them can sign for, but which to the network just looks like a single party signing.  Taproot allows this, and it's what allows you to make multisig like usage which is indistinguishable from single key.

So taproot removes the distinction between single party spends and multisig too (which can include lightning input spends which don't actually use CSV/CLTV, even if they have it available).  Indistinguishable threshold signatures may not, however, be usable for all multisig usage because the threshold signature requires a little more interaction between signers and because in some cases you really want the public record to reflect which participants out of the threshold actually participated.


Yes, but almost always you can restructure a script as "[All the parties agree]  OR [Complicated script thing]". If you can do this, you can put an N of N pubkey at the top, and if the parties cooperate, the parties can cooperate and just sign and and the fact that "complicated script thing" exists at all will not be exposed.

The only time the existence of a complicated script would be exposed is if some parties don't cooperate (E.g. because they're offline).