Taproot on Bitcoin

We show how to implement Taproot using the original Bitcoin protocol without any changes, by combining contractless contract and Merklized Alternative Script Tree (MAST).

Taproot in BTC

Taproot is the biggest Bitcoin Core upgrade since 2017, supposed to improve its functionality. In Taproot, we tweak a public key P to get a new public key Q as follows:

H() is a hash function and G is the generator point. This is the same formula in Equation 4 when we link data to a signature. In this case, the data committed in Q is simply m, the root of a MAST. P is the aggregated public key of all parties.

Pay to Taproot

There are two ways to spend fund locked in Q:

  1. Cooperative Case: a.k.a. Default Key Spending Path

When all parties agree on the output of a contract, represented by the MAST, they can all sign together to release the fund¹. Only a regular payment transaction is needed, hiding the actual contract/MAST.

2. Uncooperative Case: a.k.a. Alternative Script Spending Path

If any party does not sign, the fund can be unlocked using the MAST branch. The leaf script, its Merkle proof, and its unlocking script are needed as in a regular MAST contract.

Taproot in the Original Bitcoin

We can achieve what Taproot does using the original Bitcoin protocol, without any changes at all.

Taproot Using Contractless Contract

We simply use the contractless contract technique, where the contract is a MAST contract with Merkle root m. As in a general contractless contract:

  1. Cooperative Case: all parties sign and release the fund in a regular payment transaction tx2'.
  2. Uncooperative Case: if some party does not sign, we execute the MAST contract in tx2.


Taproot upgrade has taken BTC almost four years from inception to activation. It required fundamental and enormous changes at protocol level, including BIP114 (Merkelized Abstract Syntax Tree), BIP 340 (Schnorr Signatures), BIP 341 (Taproot), and BIP 342 (Tapscript).

Taproot on the original Bitcoin needs zero protocol changes and only 20 lines of code. The whole thing can be coded up in 20 minutes.

[1] Intuitively, private key q = p + H(P||m). Private key p is “known” jointly by all parties. P and m are both public, thus all parties can jointly sign against q’s public key Q.




sCrypt Inc (https://scrypt.io) is a company with a mission to provide integrated on-chain smart contracting solutions using the original BitCoin Protocol on BSV

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Understanding Card Authorizations from First Principles

Best Eset Password Manager alternative

TryHackMe: OWASP Top 10(Day 2) Beginner friendly walkthrough

{UPDATE} Enduro Hill Racing Hack Free Resources Generator

Difference Between Self-Managed VPS and Managed VPS

How I stopped hunting on HackerOne after years because they stole my $50k. And so should you.

{UPDATE} アズールレーン Hack Free Resources Generator

$oneUNI: A token to stabilize the DeFi world

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


sCrypt Inc (https://scrypt.io) is a company with a mission to provide integrated on-chain smart contracting solutions using the original BitCoin Protocol on BSV

More from Medium

Lightning Network: The Trojan Horse of the Crypto industry

Stablecoin Use Cases on Algorand: Here’s What’s Possible

Dissecting Algorand

The difference between Cardano and Polkadot