Bitcoin privacy has always been a confusing topic for newcomers to the space. On the one hand, the cryptocurrency is the money of choice for users of darknet markets and other illegal activity online, who obviously have a need for keeping their financial activities to themselves. On the other hand, every transaction in the Bitcoin network’s entire history is publicly viewable on the blockchain.
In other words, the realities of privacy in Bitcoin are rather complex. While there are wallets like Wasabi Wallet and Samourai Wallet that help users gain a greater level of anonymity, there is obviously still plenty of room for improvement.
What are Schnorr and Taproot?
The Schnorr proposal for Bitcoin is able to increase privacy and decrease costs for users who are taking advantage of multisignature security. Taproot is an improvement that enables greater smart contract functionality for Bitcoin without creating additional privacy issues.
A symbiotic relationship between privacy and scalability has long-been discussed by various Bitcoin developers, and Taproot is a perfect illustration of this point. With less information about transactions on the blockchain, there’s less data for the blockchain analytics companies to analyze. When Schnorr and Taproot are combined, it can become unclear to a blockchain observer when the additional functionality enabled by Taproot is in use.
One of the key features of Schnorr and Taproot is that different types of transactions can be made to look indistinguishable from each other on the blockchain. A transaction that closes a Lightning Network channel in an cooperative manner looks the same as a simple 1-of-1 transaction from one user to another.
(It should be noted that there are other potential benefits to Bitcoin from Schnorr and Taproot, but the focus of this article is strictly on their implications for user privacy.)
How Schnorr and Taproot Help with Bitcoin Privacy
In simple terms, what’s outlined in the current Schnorr proposal will make multisig transactions and single-sig transactions indistinguishable from each other by combining the signatures involved in the transaction before broadcasting them to the greater Bitcoin network. (A more detailed description of how this works is available in a previous issue of the Bitcoin Optech Newsletter).
This has remarkable implications for privacy on its own, as blockchain observers can no longer see the specific M-of-N multisig arrangement of a transaction, which can potentially tie the transaction to a particular Bitcoin wallet software.
This same, indistinguishable transaction format is also enabled for Taproot spends, which means Taproot’s new smart contract functionality can also be indistinguishable from typical transactions for those looking at the blockchain.
In other words, different types of users are placed in the same anonymity set. This is extremely important for privacy, as it becomes much easier for users to get lost in the crowd.
Perhaps the most exciting aspect of Schnorr from a privacy perspective is its ability to improve the usefulness of atomic swaps. While this functionality is usually talked about in the context of swapping one cryptocurrency for another in a trustless manner (such as BTC for ETH), atomic swaps can also be used to enhance user privacy.
The problem with swaps on Bitcoin today is that evidence of a connection between two swapped Bitcoin outputs is left on the chain. With adaptive signatures, which are enabled by Schnorr, this obvious correlation can be avoided. Open source entrepreneur and Wasabi Wallet contributor Max Hillebrand gave a talk covering the potential privacy benefits of atomic swaps for Bitcoin at the recent Hackers Congress 2019 event in Prague:
“With this simple trick, we break the assumption that, in one transaction, the inputs pay the outputs,” said Hillebrand during his presentation. “And this assumption is broken not just for anybody utilizing scriptless scripts but for anyone utilizing Taproot. Either a Taproot single key, either a Taproot MuSig, or a Taproot cooperative Lightning close, or a Taproot channel factory opening or a Taproot Statechain funding or a Taproot ecash funding or whatever other magic we can do with SegWit Version 1 Taproot. Anyone who utilizes this signature scheme all of the sudden has plausible deniability that he could potentially have done an atomic swap, and thus, anyone, all of the sudden, is free from the transaction graph of inputs pay outputs. And that is absolutely mind-blowing.”
“With this,” he said, “we break the biggest privacy problem in Bitcoin, that is that inputs can be linked to outputs. And when we have that, and we will very soon (hopefully), then I would say we have pretty damn good privacy in Bitcoin.”
When Will This Happen?
The Schnorr and Taproot BIPs are currently in the review phase of the Bitcoin development process. At this point, it’s difficult to estimate when these changes will be added to consensus-relevant Bitcoin software, let alone be activated by the network and adopted by users.
The additions made to Bitcoin’s consensus rules with these proposals should be seen as uncontroversial, but that was also expected to be the case with Segregated Witness (SegWit), which proved more divisive than expected. Some have pointed out that certain segments of the Bitcoin userbase may be against privacy improvements like the ones enabled by Schnorr and Taproot, although the climate around the Bitcoin network today is much less political than it was during the block size debate.
In a worst case scenario, it's possible a user-activated soft fork could be used as the activation mechanism for Schnorr and Taproot, as was the case with SegWit.
It should also be noted that developers still need to build wallets that will help users protect their privacy with these new tools and users need to decide to proactively use these sorts of wallets. While Schnorr and Taproot aim to diminish the issues related to Bitcoin’s opt-in privacy, Bitcoin privacy would still require more intentional participation than a privacy-focused coin like Monero, where every transaction has enhanced privacy by default.
Former Blockstream CTO and creator of the Taproot concept itself Greg Maxwell hit on this point in a recent Reddit comment:
“[Taproot] doesn't magically do the privacy preserving itself, tools/protocols/software need to be built using it and will need to be very widely deployed before it credibly starts providing that privacy,” wrote Maxwell. “Just because something is technically possible doesn't make it particularly plausible. The nature of taproot is that — if those things are deployed — its design [significantly] diminishes but doesn't eliminate the disadvantage of opt-in privacy that Monero eliminates.”
As we’ve covered in the past, Bitcoin users haven’t been the most proactive individuals when it comes to seeking privacy. Address reuse is still rather prevalent on the network, and CoinJoins only account for a small percentage of total Bitcoin transactions.
Eventually, it’s possible cross-input aggregation could be added to Bitcoin, which would enable signature aggregation for the inputs involved in CoinJoin transactions. This creates an incentive for Bitcoin users to use CoinJoin, as it would cost less to create transactions via CoinJoin than via traditional methods.
This gets back to the symbiotic relationship between privacy and scalability. When implemented correctly, a more private blockchain should also be a more scalable blockchain.
Even with the proper incentives to persuade users to pursue financial privacy, there are still lingering issues, such as the public nature of the amounts involved in Bitcoin transactions. There has been plenty of progress in the area with the existence of Confidential Transactions on the Liquid sidechain, but it’s currently unclear how, when, or if this specific type of privacy enhancement will make its way into Bitcoin’s main chain.
While far from a perfect solution, it’s possible that the level of Bitcoin privacy enabled by Schnorr and Taproot will be good enough for a wide variety of use cases. As Hillebrand stated in his presentation on the subject, “This is not the magic pill that solves everything, but it’s one part of the puzzle piece that builds our huge privacy defense tools in Bitcoin.”