Here is a categorized list of all the commits:

Refactors (sipa/bitcoin@f8c099e...450d2b2) [+50 -39]:

• 107b57d scripted-diff: put ECDSA in name of signature functions: In preparation for adding Schnorr versions of CheckSig, VerifySignature, and ComputeEntry, give them an ECDSA specific name.
• 8bd2b4e refactor: rename scriptPubKey in VerifyWitnessProgram to exec_script: The old name is confusing, as it doesn't store a scriptPubKey, but the actually executed script.
• 5d62e3a refactor: keep spent outputs in PrecomputedTransactionData: A BIP-341 signature message may commit to the scriptPubKeys and amounts of all spent outputs (including other ones than the input being signed for spends), so keep them available to signature hashing code.

BIP340/341/342 consensus rules (sipa/bitcoin@450d2b2...865d2c3) [+693 -50]:

• 9eb5908 Add TaggedHash function (BIP 340): This adds the TaggedHash function as defined by BIP340 to the hash module, which is used in BIP340 and BIP341 to produce domain-separated hashes.
• 5de246c Implement Taproot signature hashing (BIP 341): This implements the new sighashing scheme from BIP341, with all relevant whole-transaction values precomputed once and cached.
• 0664f5f Support for Schnorr signatures and integration in SignatureCheckers (BIP 340): This enables the schnorrsig module in libsecp256k1, adds the relevant types and functions to src/pubkey, as well as in higher-level SignatureChecker classes. The (verification side of the) BIP340 test vectors is also added.
• 8bbed4b Implement Taproot validation (BIP 341): This includes key path spending and script path spending, but not the Tapscript execution implementation (leaf 0xc0 remains unemcumbered in this commit).
• 330de89 Use ScriptExecutionData to pass through annex hash: Instead of recomputing the annex hash every time a signature is verified, compute it once and cache it in a new ScriptExecutionData structure.
• 72422ce Implement Tapscript script validation rules (BIP 342): This adds a new SigVersion::TAPSCRIPT, makes the necessary interpreter changes to make it implement BIP342, and uses them for leaf version 0xc0 in Taproot script path spends.

Regtest activation and policy (sipa/bitcoin@865d2c3...206fb18) [+98 -8]:

• e9a021d Make Taproot spends standard + policy limits: This adds a TxoutType::WITNESS_V1_TAPROOT for P2TR outputs, and permits spending them in standardness rules. No corresponding CTxDestination is added for it, as that isn't needed until we want wallet integration. The taproot validation flags are also enabled for mempool transactions, and standardness rules are added (stack item size limit, no annexes).
• d7ff237 Activate Taproot/Tapscript on regtest (BIP 341, BIP 342): Define a versionbits-based activation for the new consensus rules on regtest. No activation or activation mechanism is defined for testnet or mainnet.

Tests (sipa/bitcoin@206fb18...0e2a5e4) [+2148 -28]:

• 3c22663 tests: add BIP340 Schnorr signature support to test framework: Add a pure Python implementation of BIP340 signing and verification, tested against the BIP's test vectors.
• f06e6d0 tests: functional tests for Schnorr/Taproot/Tapscript: A large functional test is added that automatically generates random transactions which exercise various aspects of the new rules, and verifies they are accepted into the mempool (when appropriate), and correctly accepted/rejected in (Python-constructed) blocks.
• 4567ba0 tests: add generic qa-asset-based script verification unit test: This adds a unit test that does generic script verification tests, with positive/negative witnesses/scriptsigs, under various flags. The test data is large (several MB) so it's stored in the qa-assets repo.
• 0e2a5e4 tests: dumping and minimizing of script assets data: This adds a --dumptests flag to the feature_taproot.py test, to dump all its generated test cases to files, in a format compatible with the script_assets_test unit test. A fuzzer for said format is added as well, whose primary purpose is coverage-based minimization of those dumps.

_{PREV="$(git rev-parse HEAD)"; git log --oneline upstream/master..HEAD | while read C L; do if [ "d${L:0:14}" == "d--- [TAPROOT] " ]; then if [ "d$PREV" != "" ]; then git diff --shortstat $C..$PREV | (read _ _ _ ADD _ DEL _; echo "### ${L:14:-4} (https://github.com/sipa/bitcoin/compare/$C...$PREV) [+$ADD -$DEL]:"); echo; fi; PREV=$C; PREVL=$L; else echo -n " * $C **${L}**: "; git show "$C" --format="%b" -s | awk '/^$/{exit} 1' | tr $'\n' ' '; echo; fi; done | tac}

@jnewbery There are only two of them. The variable name one is very small, and the ECDSA naming one isn't really a standalone useful change. I think that one could be changed into a scripted-diff though.

concept ACK, just confirming for now this PR is identical to the old PR #17977 at 111be54

Reordered commits a bit, replaced the ECDSA naming one with a scripted diff, and organized the commits in sections. The end state is identical to what it was before.

Could the first 2 commits be done as separate PRs? That should slightly reduce the size of this one

@benthecarman That was suggested earlier by @jnewbery. I think splitting off 28 trivial lines of refactors from a 2500-line PR (though 1700 are tests) isn't going to change much. The refactors that were nontrivial and useful as standalone improvements have been split off already and merged (see history of the previous PR).

I added a unit test too now, with test vectors that were extracted from 20000 runs of the feature_taproot.py test (with the largest tests removed, and larger groups of inputs per transaction), minimized using libfuzzer's coverage tracking to 105.

The code for doing so is in https://github.com/sipa/bitcoin/commits/taproot-test-creation. I'll clean that code up a bit and integrate some parts of it in the normal Python test, so it's easier to recreate these vectors if improvements to the Python test are made.

I was surprised to learn that this was a 2500-line PR. By directory:

• /test/functional - 1790 lines
• /src/test - 134 lines
• /src (exc test) - 817 lines

So the majority of code in this PR is tests (which is a good thing!)

I agree with sipa that it's not necessary to split off the first two commits (especially now that they're separated to the top of the branch). Equally no harm in doing so if that'd reduce the workload.

No code changes aside from unit test commit 9673fd9

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• configure: Allow users to explicitly enable libsecp256k1's GMP bignum support #20121 (configure: Allow users to explicitly enable libsecp256k1's GMP bignum support by luke-jr)
• Script: split policy/error consensus codes for CLEANSTACK, MINIMALIF #20100 (Script: split policy/error consensus codes for CLEANSTACK, MINIMALIF by sanket1729)
• signet: Fix uninitialized read in validation #20035 (signet: Fix uninitialized read in validation by MarcoFalke)
• Move SaltedHashers to separate file and add some new ones #19935 (Move SaltedHashers to separate file and add some new ones by achow101)
• rpc: Add dumpcoinstats #19792 (rpc: Add dumpcoinstats by fjahr)
• wallet: Migrate legacy wallets to descriptor wallets #19602 (wallet: Migrate legacy wallets to descriptor wallets by achow101)
• Coinstats Index #19521 (Coinstats Index (without UTXO set hash) by fjahr)
• Introduce deploymentstatus #19438 (Introduce deploymentstatus by ajtowns)
• tests: Update more tests to work with descriptor wallets #18788 (tests: Update more tests to work with descriptor wallets by achow101)
• External signer support - Wallet Box edition #16546 (External signer support - Wallet Box edition by Sjors)
• [tests] Reduced number of validations in tx_validationcache_tests #13533 ([tests] Reduced number of validations in tx_validationcache_tests by lucash-dev)
• Make script interpreter independent from storage type CScript #13062 (Make script interpreter independent from storage type CScript by sipa)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

My expectation was to do a code review for taproot, but unfortunately, I cannot ACK the concept or the approach of this PR at this time.

After initial research and deep dive, I ask the following:

1. Will a majority of bitcoin users benefit from this PR?
   for consensus changes this answer should be a 'YES'
2. Does this PR create new security concerns or attack vectors for the typical bitcoin user?
   for consensus changes this answer should be a 'NO'

Below are my concerns with questions regarding this PR, answers and clarifications will hopefully bring me around.

Background

Original motivation to review this PR came from a tweet with a bounty. I am honored to help bitcoin, and am reviewing this PR independant of monetary expectations.

Following documents have been read and reviewed in detail specifically for this review, skipping some code and proofs.

• PR Review Club for 17977
• [bitcoin-dev] Taproot
• Homomorphic Payment Addresses and the Pay-to-Contract Protocol
• BIP340, BIP341, BIP342
• Simple Schnorr Multi-Signatures with Applications to Bitcoin
• Impact of Taproot and Schnorr on Address Clustering Analysis of Bitcoin

Reason for not a simple "concept NACK" is because of the known information gap on my end. Specifically, I have not read most of bitcoin bips since early segwit.

• My knowledge and use of bitcoin has been almost exclusively with P2PKH, including custom coded raw transactions on the utxo level.
• Have not yet personally implemented BIP32 - Hierarchical Deterministic Wallets, nor SegWit

Questions

some of these are leading some of these are clarifying

1. Are my current ECDSA private/public key pairs compatible with Schnorr?
2. Where are the specific steps of transforming keys to Schnorr public/private key pairs?
3. is there any difference in key management between ECDSA pairs and Schnorr pairs?
4. is Schnorr compatible with BIP32?
5. If we define complexity risk as a measure of required knowledge in relation to security expectations, does this PR add complexity risk?
6. Can we measure the complexity risk delta of this PR?
7. Would an expert ECDSA pk pair security manager need more knowledge to become an expert Schnorr pk pair manager?
8. Would a future expert Schnorr pk pair manger already be an expert ECDSA pk pair manager?
9. If we define a hard-knowledge-fork as needing more knowledge and a soft-knowledge-fork as needing less knowledge to use bitcoin, is this Taproot PR a hard-knowledge-fork or soft-knowledge-fork?
10. Can Taproot be implemented with ECDSA? Technical: Pay-to-contract and Sign-to-contract?
11. Is Taproot available for ECDSA in this PR?

Concerns

MultiSig
I’m concerned that we are explicitly promoting MultiSig as a net positive for securing users private keys, and as far as i can tell, the consensus is that multisig comes down to a single leader in practice.

poll: Is the use of multisig on a bitcoin transaction, a security feature or a false sense of security?

Key Reuse
I’m concerned that we are implicitly assuming that key reuse is wrong, but as far as i can tell, the consensus is that code reuse is fine for most cases.

Highest concern is if the efficiency improvements, like removal of double sha256 hashing and others, are assuming no key reuse, creating a new vector for user error, since a majority of bitcoin users reuse their keys.

similar sentiments:

"While the key holders are expected not to reuse key pair, little could be done to stop payers to reuse an address. Unfortunately, key-pair reuse has been a social and technical norm since the creation of Bitcoin (the first tx made in block 170 reused the previous public key). I don’t see any hope to change this norm any time soon, if possible at all." bitcoin-dev

Overall, we are left with concerns both about the merit of doing Taproot
versus alternatives, as well as the process through which we got to be here.

1. Is Taproot actually more private than bare MAST and Schnorr separately? What
   are the actual anonymity set benefits compared to doing the separately?

Yes, presuming single-pubkey-single-signature remains a common authorisation pattern.
bitcoin-dev

and fud:

Similarly, the SIGHASH_SINGLE bug for example would have been disastrous for this scheme. In general, the Blockchain this is used in must not allow spending more than one output with a single
signature.

red flags:

Homomorphic Payment Addresses and the Pay-to-Contract Protocol

• Customer public key “a" in the tx cannot be used twice for same Public-Key of merchant
• signaling variation? address(a,c) vs address(P,c) -
  • (a,c) becomes a private key

other:
DISCOURAGE_FLAG - why the need for this flag? can’t we say - ON_POLICY_CHANGE(Transform the mempool)?

flagged for followup:
BIP340

This complicates the implementation of secure signing protocols in scenarios in which a group of mutually distrusting signers work together to produce a single joint signature

Using the first option would be slightly more efficient for verification (around 10%), but we prioritize compactness, and therefore choose option 3.
batch verification

breaking an X only key - at most a small constant faster

nonce - leaking secret

every public key - has two corresponding secret keys

not using the same private key - across different signing schemes - signatures can leak secret key through nonce reuse

open up new nonce attack vectors

However, if this optimization is used and additionally the signature verification at the end of the signing algorithm is dropped for increased efficiency, signers must ensure the public key is correctly calculated and not taken from untrusted sources.

While recent academic papers claim that they are also possible with ECDSA, consensus support for Schnorr signature verification would significantly simplify the constructions.”

BIP341

Combining all these ideas in a single proposal would be an extensive change, be hard to review, and likely miss new discoveries that otherwise could have been made along the way.

Just like other existing output types, taproot outputs should never reuse keys, for privacy reasons. This does not only apply to the particular leaf that was used to spend an output but to all leaves committed to in the output. If leaves were reused, it could happen that spending a different output would reuse the same Merkle branches in the Merkle proof.

fixes the verification capabilities of offline signing devices by including amount and scriptPubKey in the signature message, avoids unnecessary hashing

Hashes that go into the signature message and the message itself are now computed with a single SHA256 invocation instead of double SHA256. There is no expected security improvement by doubling SHA256 because this only protects against length-extension attacks against SHA256 which are not a concern for signature messages because there is no secret data. Therefore doubling SHA256 is a waste of resources.

The public key is directly included in the output in contrast to typical earlier constructions which store a hash of the public key or script in the output. This has the same cost for senders and is more space efficient overall if the key-based spending path is taken. [2]

BIP342

The inefficient OP_CHECKMULTISIG and OP_CHECKMULTISIGVERIFY opcodes are disabled. Instead, a new opcode OP_CHECKSIGADD is introduced to allow creating the same multisignature policies in a batch-verifiable way.

Disabled script opcodes The following script opcodes are disabled in tapscript: OP_CHECKMULTISIG and OP_CHECKMULTISIGVERIFY[2]. The disabled opcodes behave in the same way as OP_RETURN, by failing and terminating the script immediately when executed, and being ignored when found in unexecuted branch of the script.

This way, new SIGHASH modes can be added, as well as NOINPUT-tagged public keys and a public key constant which is replaced by the taproot internal key for signature validation.

Why is a limit on script size no longer needed? Since there is no scriptCode directly included in the signature hash (only indirectly through a precomputable tapleaf hash), the CPU time spent on a signature check is no longer proportional to the size of the script being executed.

PR Purpose

as stated

privacy, efficiency, and flexibility of Bitcoin's scripting capabilities

This proposal aims to improve privacy, efficiency, and flexibility of Bitcoin's scripting capabilities without adding new security assumptions[1]. Specifically, it seeks to minimize how much information about the spendability conditions of a transaction output is revealed on chain at creation or spending time and to add a number of upgrade mechanisms, while fixing a few minor but long-standing issues

Taproot is an optional feature, and P2PKH key reusers, not concerned with privacy, do not need to us it. Yet, they still get the benefits of smaller multisig transactions.

Is this chart the only benefits of this PR for the majority of users? Is it worth consensus soft-fork? What are the risks?

Taproot

Taproot's advantages become apparent under the assumption that most applications involve outputs that could be spent by all parties agreeing

This use of practical reality built into the bitcoin protocol is exactly what we need more off! Maybe this abstraction can one day be made between alice and bob, because many times alice is really bob in a dress, and bob has no double spend risk on the tx from bob to bob.

defaut spending path
from what i understand, since in practice over 85% of bitcoin transaction are single key, the default path will be basically p2pkh (or the Segwit + Schnorr equivalent)

user story
If Taproot tree path spending is not for the 85% of bitcoin users, then who is it for? actual user stories will go a long way here.

ACK 0e2a5e4 modulo the last four commits (tests) that I plan to finish reviewing tomorrow

reACK 0e2a5e4

This regression introduced in 4567ba0 is fixed in #20180.