Bitcoin’s Taproot soft fork is an essential step towards improving Bitcoin’s on-chain privacy. After the upgrade got activated on November 14th, 2021 at block height 709632, blockchain analysis companies are going to have a harder time determining what’s happening on the public ledger. Inconveniently for those seeking to deanonymize all bitcoin transactions, Taproot makes most on-chain contracts and conditional transfer look identical to regular transfers. Indirectly, this also benefits scalability (multisig setups no longer take more block space) and fees (smaller transaction outputs translate in lower costs for the users).
This article, however, focuses on the privacy aspect of Bitcon’s soft fork. It seeks to explain how Taproot increases every user’s plausible deniability and potentially poses a threat to the blockchain analysis business. To make this improvement easily comprehensible, the benefits will be divided by use cases.
How Taproot Increases Lightning Network Privacy
The Lightning Network is Bitcoin’s layer for instant, private and inexpensive transactions. Unlike a blockchain, it’s extremely scalable, fast and doesn’t require the entire network to store and validate every operation. The more elegant design also enables greater privacy: only the parties involved in a money transfer and the routing nodes can get information about an ongoing transaction. Outsiders are completely left in the dark and unable to tell anything about the actors involved and the amount of bitcoin that they moved around. For a better understanding of how Lightning works, read my article “Explaining the Lightning Network So Even a 10 Year-Old Can Understand It”.
But since Taproot is a base layer upgrade, does it really affect Lightning? Without this Schnorr-friendly upgrade, channel openings and closings get revealed on the public blockchain exactly as what they are: 2 of 2 multi sigs with hashed time locked contracts (HTLCs). After the Taproot activation, everyone opening or closing a Lightning channel collaboratively will appear to be doing a regular transaction which is indistinguishable from the others.
Previously, blockchain analysts were able to tell when certain transactions would close Lightning channels. But after Taproot, they will only be able to see that the coins have moved. They won’t know how they moved, they’ll only observe that the amount has been spent in an indistinguishable way.
However, the privacy level still isn’t perfect. As pointed out by Wasabi Wallet creator Adam Ficsor, non-private Lightning channels broadcast a channel point which corresponds to the opening output. Therefore, this bit of information, which can be observed on the Lightning network, gives away information about the output that is engaged in the channel opening. Taproot does make Lightning network channel opening private, but only if the channels are also private. Similarly, even though CoinJoin transaction before and after opening a Lightning channel can obfuscate the previous and future, the Lightning gossip would still reveal the precise UTXO controlled by the node operator. There is promising research to mitigate the problem with ring-signature proofs for DoS protection.
How Taproot Increases Sidechain Privacy
Like Lightning channel openings, sidechain peg-ins also rely on a multisig contract. On RSK (Rootstock, a Bitcoin sidechain which seeks to port Ethereum smart contracts), there’s a two-way peg (2WP) which ensures that the BTC gets transferred safely. But after Taproot, this transaction is going to be indistinguishable from all the others and will also occupy less block space.
The same happens for Blockstream’s federated sidechain Liquid, as well as Drivechains. Regular transactions, Liquid peg-ins, Lightning channels and user multisig will look exactly the same.
How Taproot Increases Multisig Privacy
In recent years, multisig setups have become extremely popular among bitcoiners. As the user experience has improved with wallets such as Electrum, Sparrow and Specter, many community members have chosen to make their coins harder to steal, hack or spend. The idea behind it is that you don’t need to trust a single wallet or entity with the randomness and security of your private key. You use different devices with different processing units to generate your keys, and afterwards you can go as far as distributing your private key backups to different parts of the world.
Depending on your setup (most users do 2 of 3, but you can go as far as 15 of 15 if you prefer complexity), you can get a lot of extra security at the expense of losing accessibility – and if you make it too hard even for yourself to recover the coins, you might just lose them.
Taproot has two essential benefits for multisig setups: it makes them more accessible (the transaction cost of signing a 19 of 20 transaction will be the same as taking care of a single one) and also adds an extra layer of privacy. All the unnecessary information will no longer appear on the public blockchain. This preserves the secrecy of all the signers by only displaying the main input and its corresponding output. Before Taproot, blockchain analysis could determine which keys from the setup have signed the transaction. After Taproot, this information will become unavailable to the public.
How Taproot Increases the Privacy of Bitcoin Smart Contracts
Since day one, Bitcoin has enabled smart contract functionality. Basically, users have been able to broadcast conditional transactions which would instruct the rest of the network when the funds become available for spending. Multisig setups, Lightning channel openings and sidechain peg-ins are all variations which make use of different types of conditions.
So let’s consider a basic contract in which Alice locks her bitcoins until a certain block height when she thinks her infant child Bob will be a grown adult, or else allows for Bob to unlock the amounts as soon as he becomes technically capable of signing a multisig transaction. Under the current framework, both conditions get revealed to the entire network and become part of the immutable ledger. But with Taproot, only the one that gets executed will actually become public. It’s an efficiency upgrade which saves precious block space but also a great privacy trick that’s going to enable lots of creative ways to preserve wealth across time.
Taproot Simplifies Invisible Coin Swaps
Mercury Wallet by CommerceBlock has become increasingly popular in recent months. This is because of a special feature which performs a change of output ownership on the Lightning network and effectively enables users to trade their coins’ transaction history in an elegant and scalable way. If bitcoiners open Lightning channels and trade UTXOs with one another, they can obfuscate a lot of the previous activities involving their money and return to the BTC blockchain with a different set of coins. Mercury Wallet makes use of Ruben Somsen’s statechains concept to lock funds for a predetermined amount of time and conduct mixes between equal outputs.
In a sense, Coinswaps are CoinJoins that make use of Lightning’s scalability and low fees. Thanks to Taproot, they too are indistinguishable from the other transactions.
However, with Coinswaps, you always face the risk of receiving a more problematic UTXO which may have a criminal history. Instead of combining multiple transaction histories (as in the case with CoinJoins), it enables an anonymous market for swapping transaction histories. As Wasabi wallet creator Adam Ficsor pointed out in a recent interview, the two privacy solutions can become complimentary tools: “The combination seems to be more interesting though: CoinSwaps to and from CoinJoins, which could make low anonymity set CoinJoins getting as much privacy as a CoinSwapper would.”
Bitcoin Privacy After Taproot
With Taproot, Bitcoin has undergone a long-desired upgrade to the more efficient Schnorr signatures, while also taking a few steps towards winning the battle against financial surveillance. This doesn’t mean that blockchain analysis becomes obsolete after this upgrade, though. First of all, it will take time for users to update their nodes to the latest Taproot-friendly client (so the benefits will not be enjoyed by everyone). Secondly, developers have to release wallets and applications that make use of Taproot’s full potential. For now, not much has changed since block 709632, when the soft fork was activated. But the numerous benefits of Taproot give hope for swift adoption.
Furthermore, the Bitcoin protocol can even further be optimized for scalability and privacy. One of them may be Jeremy Rubin’s OP_CHECKTEMPLATEVERIFY (BIP 119, formerly known as OP_SECURETHEBAG), which batches transactions to reduce the amount of inputs and cut down on fees during moments of high demand and congestion. With it, CoinJoins and Coinswaps can get even more plausible deniability since the same technique becomes a natural component of the Bitcoin transaction routine.
Other solutions include Drivechains (Paul Sztorc has managed to create a Zcash-like chain which serves the purpose of increasing the fungibility of processed bitcoins), Mimble Wimble extension blocks (an ongoing experiment on Litecoin, which may be useful if it proves to work), and the hope that Core developers will figure out a way to integrate zero-knowledge proofs or Confidential Transactions without the need for a hard fork. However, the Schnorr signature-powered Taproot is still a great start and the way in which it was activated gives us hope that one day bitcoins will acquire nearly-absolute fungibility.