Skip to main content

Taproot | Bitcoin Glossary | Mapping Bitcoin

Taproot

Protocol

Also known as: BIP341

Bitcoin soft fork activated November 2021 adding Schnorr signatures and MAST, making complex scripts indistinguishable from simple on-chain payments.

Overview

Taproot is the most significant Bitcoin protocol upgrade since SegWit, activated at block 709,632 in November 2021. Defined across BIPs 340, 341, and 342, Taproot bundles three interconnected improvements: Schnorr signatures, Merkelized Alternative Script Trees (MAST), and Tapscript. Together, these changes improve Bitcoin's privacy, efficiency, and smart contract capabilities.

Key Components

Schnorr Signatures (BIP340)

Schnorr signatures replace ECDSA for Taproot outputs, providing several advantages:

  • Linearity: Multiple signatures can be aggregated into a single signature, enabling efficient multisig schemes.
  • Smaller size: Schnorr signatures are 64 bytes versus ECDSA's ~72 bytes.
  • Provable security: Schnorr has a formal security proof under the random oracle model.

MAST (BIP341)

        Taproot Output
       /              \
  Key Path          Script Path
  (single sig)     (Merkle tree of scripts)
                       /        \
                    H(AB)      H(CD)
                   /    \      /    \
                 A: 2of3  B: timelock+sig
                 C: hash  D: emergency
                   preimage   recovery

The key path allows spending with a single aggregated signature, while the script path reveals only the specific branch being used. Unused branches remain hidden, preserving privacy and reducing on-chain data.

Privacy Improvement

The most impactful aspect of Taproot is that cooperative key-path spends for multisig, timelocked, and other complex spending conditions all produce identical-looking on-chain transactions — a single public key and a single signature. An observer cannot distinguish a 3-of-5 multisig spend from a simple single-key payment if the key path is used.

Pay-to-Taproot (P2TR)

Taproot introduced a new output type, P2TR, which uses SegWit version 1 addresses starting with bc1p. All Taproot outputs look identical regardless of their underlying complexity, further enhancing fungibility and privacy.

Common Misconceptions

  • Taproot does not break backward compatibility. As a soft fork, older nodes still accept Taproot blocks.
  • Taproot does not inherently enable all smart contract functionality — it provides building blocks that make future protocol development more practical and private.

Related Terms

Schnorr SignatureCryptography

Taproot's signature scheme (BIP340). More compact than ECDSA, it enables MuSig aggregation so cooperative multisig looks identical to a single-key spend.

TapscriptProtocol

BIP342 scripting rules for Taproot script-path spends, replacing OP_CHECKMULTISIG with OP_CHECKSIGADD and adding OP_SUCCESS opcodes for future upgrades.

P2TRProtocol

Pay-to-Taproot (BIP341) with 'bc1p' addresses. Combines Schnorr signatures with MAST for efficient key-path spends and private script-path alternatives.

Soft ForkProtocol

A backward-compatible Bitcoin consensus change that tightens existing rules. Non-upgraded nodes remain on the chain; SegWit and Taproot were soft forks.