Topic: Taproot proposal - page 23. (Read 11253 times)

it's now merged: https://github.com/bitcoin/bitcoin/pull/19944



(and this is the secp256k1 subtree merged into the bitcoin core repository, it now looks that 0.21.1 will very likely include the taproot/schnorr activation code)

Honestly thought this news deserved a little more attention than it seems to be getting.  A hardy "Good work!" to all involved.  Is the lack of fanfare purely because people are more excited about the aggregation part that isn't quite ready yet?

The above mentioned improvements have been applied and now the BIP340 support for libsecp256k1 is ready to be merged: https://twitter.com/pwuille/status/1300572711312265218

Pieter has posted about changing BIP340 to us a different R tiebreaker: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-August/018081.html

This is some signature algorithm behavioural minutia. Basically BIP340 did an unconventional thing because we believed it was faster enough to be worth a small increase in implementation complexity but it turns out that our belief was based on a both a broken benchmark and a supporting (wrong) assumption and it's not actually faster and might, in fact, be slightly slower in the long run.  Changing to the more conventional thing would simplify implementations and make them somewhat faster.

He tells me that he's received a bunch of positive commentary on it, so I expect the change will be made soon!

Nice article by Aaron Van Wirdum to non-technically sum up all the recent development in Taproot and how  Payment Pools could be used as as Layer 1 scaling solutions and privacy feature.

I don't want to cross-post, so I am linking it here.

people should absolutely "vote with their money" and leave such exchanges, if that's a viable option for them.

that doesn't address the larger issue though. we need to consider what people actually do by default. think about why the maker/taker fee model is so prevalent: because the vast majority of market participants are liquidity takers. further, there is zero indication that privacy is a priority for most of them. they will continue seeking out the highest liquidity exchanges, who all seem to be ratcheting up their AML standards one by one.

so while i agree with you, i don't think that's a viable solution long term. privacy advocates will just have less and less services at their disposal, with worse and worse liquidity. what we need are better coinjoin solutions so that we can slip through unnoticed with the the rest of the masses---so we aren't at a constant disadvantage re liquidity. this will take some time.....probably years.

wasabi wallet was groundbreaking as a first step, but its coinjoin implementation obviously puts its users at a great disadvantage re existing blockchain analysis heuristics. that's a problem we can't afford to ignore.

When an exchange harms your privacy applying weird heuristic to your transaction before or (worst) after using them, just stop using it.
I started a thread on this exact fact: [PAXOS+COINJOIN]Your privacy is a threat to exchange business?#deletepaxos

indeed, there are layers upon layers of deniability baked in. there are other privacy pitfalls that could play a role, like browser/cookie analysis and IP address/bloom filter analysis by adversarial nodes. even then, the notion of getting a jury to convict based on this kind of chain of evidence is a tossup at best. blockchain analysis companies are generally working off a huge number of assumptions and that will become obvious to any jurors studying their protocols.
 

in theory (actually this is arguable since coinjoin transactions are always currently more expensive).

in practice, most coinjoins are very obvious on-chain, and some exchange customers are paying the price for it. taproot, cross-input aggregation, and less obvious coinjoin mechanisms will mitigate this in the future, but for now all i can say is, be careful of your proximity to exchanges and AML/KYC enforcing services when engaging in coinjoins.

I think it is worth noting that chainanalysis is based on very weak heutistics.
The reality is there is nothing linking an address to another one. (taking to the extreme, even a transaction with one input and one output).  And each steps those heuristics become weaker and weaker every step down the chain analysis.
 
I am afraid the "chainanalysis stuff" is nothing would hold in a serious trial.

By the way batch transactions (output aggregation) togheter with coinjoin (input + output aggregation) are the best practices to transact over the bitcoin protocol. The fact that these techniques aren't implemented in "basic" wallets is not relevant. Everyone should always transact this way for every of his transaction.

What will be interesting to see is how exchanges and businesses react to this, as well as governments. The only reason governments are allowing Bitcoin to stay legal, or even neutral, is due the fact that they think they have the means to control it with efforts such as chainanalysis. Once/if BTC reached a point of actual fungibility in which the costs of trying something like chainanalysis are bigger than simply outlawing it, that is what I would predict would happen (that governments outlaw it and go into a full front attack), which will only make other governments become tax havens for BTC holders. Ultimately the price would most likely be pushed upwards but there would be an awkward period of, once again, "Bitcoin is dead" all over mainstream media.

taproot/schnorr will run at layer 0. CT could in theory too but there are strong reasons it won't (bloat and lack of support for consensus change).


taproot offers the beginnings of that. amounts and output linkability are still unaddressed at this time, but basically everything under the hood of a transaction can be hidden. cross-input aggregation (once implemented) will further provide strong fee incentives to drive users towards schnorr-based coinjoin and/or adaptor signature-based mixing transactions. wallets could offer these as automatic/default mechanisms. if most of the network is using taproot, these are pretty huge privacy gains for everyone.

unfortunately, we can't approach this issue as if it were day 1. as gmaxwell pointed out, there is uncertainty around being able to deploy even mundane consensus changes---let alone ones that are actually contentious.

By regular I meant what you point to be as bc1q. So bc1p is it for the new one. I didn't realize it was bc1q, but bc1 then random string. Im not a segwit user myself, still only use legacy. There's no way in hell the regular average joe user will notice any of these changes. That's why I insist: we need everything to be "mixed by default" somehow, and optional would be the clear transactions, ideally. What I mean is, the end user should just have to click "send" and that would be by default a mixed transaction. Then have some box you can check to not mix it optionally. This would be the standardized functionality of all wallets. That's how we reach proper fungibility. Otherwise we are going to start seeing horror stories regarding chainanalysis and innocent people ending up with BTC that was "tainted" attached to their names when they deposit in exchanges and whatnot. The only way to avoid this is that everyone by default mixes coins.

I don't know what you have in mind when you say "regular address".
Bech-32 encoding is a rather simple encoding of any data that takes an octet string (8 bits) convert it to 5 bit chunks and then converts each chunk to one of 32 characters defined by BIP-173 (that is qpzry9x8gf2tvdw0s3jn54khce6mua7l).
For an address we add the witness version as its first 5-bit chunk without needing any conversion so when it is 0 you choose the first char that is "q" and when it is 1 you choose the second that is "p" and so on.
they are all "regular addresses" with a different version.

The bips 340 341 and 342 if there is in the community a large consensus for their implementation, will in my opinion be one of the most important upgrades to Bitcoin. However, this implementation will also be a test of the community and its future, because if Bitcoin was already advertised by governments as a facilitation of money laundering, as well as the financing of criminal and terrorist organizations, with this upgrade, we will see strong attacks by political power.

Regarding to the hashpower, the new stratum v2 protocol, aims to further decentralization and break, in part, with the pools decision-making regarding to block protocol improvements.

These things have to run at layer 0 to get any traction imo. We should have had better fungibility since day 1. Things should be mixed by default, what should be optional is making a clear A to B transaction. If we are going to have privacy, we want it to be as close to default state as possible. The internet went throught this already. We would have avoided the spying clusterfuck that it has become if it ran private by default. Only now ages later Tor is becoming more known as well as VPNs, but thats far from ideal. It's still nothing in the grand scheme of things.


Can't regular bech32 addresses begin with a p?

The main problem for cross input aggregation is that normally you can just soft-fork in new signature types (e.g. including new sighash types) just by creating a new checksig operator (or having a pubkey of a different length).

But a new signature type added in a backwards compatible softfork couldn't be aggregated with other signatures even if the underlying crypto is the same.  This is especially relevant because there is a current interest in adding some new sighash types, also graftroot which is also effectively a new sighash type.

Aggregation could have been done for basic taproot alone, and then any new types would have to be separately aggregated... but probably along the way we'd come up with different optimizations in how aggregation works, and then the consensus rules would have two implementations of aggregation. Worse, if taproot originally has aggregation people will probably upgrade slowly to a later tapgraftroot since mixed transactions would have higher overhead from the inability to aggregate them both, and fungibility would be hurt by the slow upgrade.

There are also some ideas that could allow for better backwards compatibility.  In particular,  if a new witness-like p2p extension were made that allowed transmitting the concrete sighash values as witness data to old nodes that don't know how to generate those sighashes (but otherwise not keep them in blocks),  then aggregation could be preserved even with future softforked in sig hashes.   But witness-like p2p extensions are a real pain to design and deploy, and no one seemed particularly eager to do that work right now. If one is done it should probably pick up some other improvements other than just backwards compatible aggregation.

So essentially, aggregation is conceptually ready but there are very strong incentives to deploy it in combination with other features which are not currently ready.  Trying to do everything at once is just too big an engineering project to pull off safely, and we're likely to learn a lot from actual usage of taproot which would help improve the design of other features (particularly of graftroot/g'root).

Right now I don't think the current amount of engineering interest in Bitcoin is particularly healthy.  Many long time contributors, including myself, have essentially stopped contributing for a variety of reasons (including uncertainty around political disruption of deploying even fairly boring new consensus changes, concern that too much bitcoin hashpower is controlled by bitcoin adversarial parties who would attempt to block protocol improvements, etc. on top of more generic factors).  Lightning is also easier, faster, and often more interesting to work on and so it has diverted a lot of new blood.

It's mentioned in BIP 341 as essentially not being ready yet:

has there been discussion about cross-input aggregation and when it might be implemented? i was under the (apparently mistaken) impression it was gonna be included with taproot. it does not appear to be included anywhere in BIP 340-342.

yes. in a Bech32 encoding when you set the witness version to 1 the first character after the separator (ie. 1) is going to become letter "p".
BIP 173 doesn't mention this but it is easy to use one of the libraries to encode an arbitrary length byte array to see what the first character is. https://github.com/bitcoin/bips/blob/master/bip-0173.mediawiki
empty 32 bytes= bc1pqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq5us4ke

Looking at the title of BIP 341 (Taproot: SegWit version 1 spending rules), does that mean we'll see address with prefix bc1p?


Not only hardfork, but CT have bigger size compared with regular transaction (even if you combine CT with Bulletproof, just like what Monero did), so i doubt it'll gain massive support.