Taproot: a privacy threat? why the forthcoming Bitcoin upgrade is drawing criticism

On January 14 the release of Bitcoin Core version 0.21.0, the most popular Bitcoin network client, took place. Along with various innovations and improvements, it includes the final Schnorr/Taproot code, an upgrade intended to boost the network’s privacy and scalability, as well as coin fungibility.

The exact activation timeline for the solution has not yet been determined, and the activation logic required to enable it is not yet in place. In the coming months, developers may include it in one of the forthcoming interim releases of Bitcoin Core.

Before Taproot was integrated into Bitcoin Core, its code had been studied for several years by more than 150 developers, and by the end of December virtually all the largest mining pools signalled in favour of the upgrade or more than 90% of the hashrate.

For Bitcoin, a network whose history has seen many disagreements over technical questions, this is a relatively rare phenomenon. The developers demonstrated unity in their views even after recent statements by Nikita Zhavoronkov, the founder of Blockchair, who suggested that Taproot not only fails to increase privacy but, on the contrary, reduces it.

Key Points

• Blockchair’s lead developer Nikita Zhavoronkov argues that the forthcoming Bitcoin Taproot upgrade poses a potential privacy risk.
• Bitcoin Core developers disagree, stating that in the long run the benefits of Taproot far outweigh the potential harms.

Arguments Against Taproot

Zhavoronkov outlined the reasons why Taproot threatens Bitcoin’s privacy in a document published in late November 2020. He urged developers to abandon activation of this solution.

My report on the negative impact of Taproot on Bitcoin’s privacy. PDF: https://t.co/5LK1QZSUzO

tl;dr: Introducing one more common address format (P2TR) will lead to disastrous privacy leaks.

Please help to spread the message to miners. My DM’s are open for questions. (1/35) pic.twitter.com/zJV3PRZGUJ

— Nikita Zhavoronkov (@nikzh) November 27, 2020

As is known, full nodes running on the Bitcoin network monitor the outputs through which funds can be sent when transactions are executed. They are known as unspent transaction outputs (UTXO). For example, Alice has two bitcoins, one of which she wants to send to Bob. When a transaction is executed, the UTXO containing her coins is spent and split: 1 BTC goes to Bob, the other 1 BTC is sent back to Alice to the so-called change address.

(6/35) pic.twitter.com/bEQZ0Da0Wl

— Nikita Zhavoronkov (@nikzh) November 27, 2020

Taproot activates new rules (scripts) that outwardly differ from existing scripts such as the transaction signing mechanism using private keys or UTXO scripts.

In Zhavoronkov’s view, coins locked in such scripts will stand out from the rest, making it easier for analytics firms to identify the recipients of funds.

As an example he cites bech32, the native format of SegWit addresses (beginning with ‘bc1’). If the recipient has upgraded to SegWit and uses this format, the sender’s wallet continues to generate change addresses of the same type as originally (starting with ‘1’).

This would look like:

(8/35) pic.twitter.com/QfCRtgkXDI

— Nikita Zhavoronkov (@nikzh) November 27, 2020

Now it is possible to establish that 1BitcoinAddress11111 and 1BitcoinAddress3333333 belong to the same person (the sender). This enables address clustering and carries potential risk for both the sender and the recipient.

Zhavoronkov also notes the general “deterioration of Bitcoin privacy” with the addition of each new script type – starting with P2SH and ending with P2WPKH and P2WSH, which appeared with SegWit. Taproot will add P2TR, and the technology will be effective only if it is adopted by 100 per cent of users and exchanges.

«Those who advocate Taproot and deny its negative impact on privacy imply that everyone will use Taproot, so it all boils down to the scenario ‘every user uses P2TR, and every exchange uses P2TR’. Unfortunately, this is utopia. More than three years have passed since SegWit activation, and it is still used in fewer than 50% of all transactions. This is simply not enough», — Zhavoronkov writes.

Detailed theory from the Blockchair developer can be found in the Russian-language translation of the original document.

What Bitcoin Core says

Zhavoronkov’s arguments were almost immediately met with fierce criticism from Bitcoin Core developers, led primarily by the technology’s inventor, Gregory Maxwell.

In a lengthy Reddit thread the former Blockstream CTO called Zhavoronkov an “intellectually dishonest coward” and, noting Zhavoronkov’s close ties with Bitcoin Cash, urged him not to hide behind insulting posts on Twitter, but to give direct answers to some questions.

«Where is your campaign ‘Stop Schnorr Signatures’ for BCash? They allow wallets to be distinguished like any other new script, but you stay silent about it. Where is your crusade against 4-of-5 multisig? Against P2SH? There are none», — Maxwell asks.

Also he asks why Zhavoronkov is not troubled by privacy questions in the case of hard forks of “scam coins” or why he sees a privacy threat for Bitcoin there, where another type of script is used in only about 10% of transactions, but does not see it in altcoins whose transaction counts are significantly lower (as in Bitcoin Cash).

Maxwell noted that negative privacy impacts come with every new use of scripts and every new policy regarding multisignature technology. Moreover, he says, users can themselves put their privacy at risk, for example by entering their address into a block explorer.

«Taproot significantly improves this situation, but since it is itself a new feature, the privacy level for users will be modest until its adoption becomes universal. This is what has always been discussed in the process of working on Taproot and has led to a number of design decisions», — he added.

Maxwell also finds it ironic that Zhavoronkov launched criticism precisely on privacy concerns while his own site is centralized and can store users’ private data without their knowledge.

The Blockchair developer’s response did not take long:

«I don’t want to discuss anything on a censored subreddit; what’s the point? Twitter is neutral in this respect (unless you’re Trump), so I prefer it», — Zhavoronkov replied, noting that several months ago Blockchair introduced a tool for assessing transaction privacy in the Bitcoin network, while such an option does not yet exist for Bitcoin Cash.

Subsequently Zhavoronkov did engage in a deeper discussion with Maxwell, stating his aim to protect the interests of ordinary users making simple transactions, not geeks obsessed with complex and less accessible technologies like the Lightning Network.

But, as Maxwell notes, he did not receive substantive answers to his questions, and the presentation itself consists of unsubstantiated and false claims and is an example of a commercial conflict of interest.

Long-Term Outlook

Note that, according to official documentation, Taproot in combination with Schnorr signatures expands the capabilities of multisignature technology, increasing the set of transaction types that can appear as standard. In their number, besides P2PKH and P2WPKH, i.e. single spends, are also channel closures in the Lightning Network and atomic swaps.

Peter Velle, who in October 2020 merged Schnorr signatures, Taproot and Tapscript into a single proposition, refrained from extensive discussions about Zhavoronkov’s criticisms, limiting himself to retweeting the thread by the German Lightning Network developer @sebx2a. It states that claims of Taproot’s negative impact on privacy are an attempt to sow seeds of doubt about the technology.

«Short-term negative effects are well known, but the long-term improvements more than compensate for them», — commented @sebx2a on Zhavoronkov’s document.

For some reason people have begun spreading FUD around Taproot’s privacy implications. While a very small short term negative effect is well known, the improvements down the road more than outweigh it.

So what’s their argument and why is it so weak? (1/9) https://t.co/GTcyCYgmwj

— @sebx2a@bitcoinhackers.org (@sebx2a) November 28, 2020

Independent Bitcoin Core developer Gleb Naumenko also agrees with him.

«If we speak briefly, Taproot can indeed lead to a loss of privacy, but on a small scale and only under certain conditions and specific attacks. In most cases, and consequently overall, Taproot is a clear plus for privacy and for smart‑contract flexibility», — he told ForkLog.

The hysteria of Taproot’s opponents and conspiracy theories that, in his words, can be seen on slides in Zhavoronkov’s presentation are not only belated to the discussion but also do not foster a constructive dialogue.

«There are few opponents, among public figures — it’s only Nikita», — Naumenko added.

He says that if users still have doubts, they should study the details themselves and form their own conclusions. And if that is not possible – consult with experts.

Subscribe to ForkLog news on Telegram: ForkLog Feed — the full news stream, ForkLog — the most important news and polls.