Schnorr signatures are a powerful new way to authenticate Bitcoin transactions. We offer an intuitive explanation of how they work, inspired by Gregory Maxwell and Andrew Poelstra’s wonderfully simple description that starts with Claus Schnorr’s original interactive authentication protocol. We add details bit by bit until we arrive at the BIP340 standard implemented in Bitcoin today.
Scriptless multisignatures make it possible for an essentially unlimited number of people to create a single public key that can be spent by a single signature from all of them, massively increasing the scalability and privacy of Bitcoin. Schnorr signatures make scriptless multisignatures so easy that it only takes us a few paragraphs to intuitively describe their mathematical foundation. We then briefly describe the MuSig family of multisignatures that provide additional security against malicious co-signers.
MAST also massively boosts Bitcoin’s scalability and privacy by allowing an essentially unlimited number of conditions to be used in Bitcoin Script, with only the conditions that were satisfied needing to appear onchain.
Pay-to-Contract (P2C) is a method for modifying Bitcoin public keys that was first described in 2012 but doesn’t get talked about much. It allows receiving money to a private commitment that can either kept secret forever or proven publicly later. It’s as simple as it is powerful, so we’re able to describe it quickly.
Taproot combines the capabilities afforded by scriptless multisignatures, MAST, and P2C into a single protocol. Because we previously introduced each of those three foundational technologies, it’s very easy to explain how taproot works and how it provides Bitcoin users with a huge improvement in scalability, privacy, and fungibility.
Bech32 and bech32m are the new address formats introduced for segwit and taproot that make addresses much easier to use. We refresh the entire address section of the book. It now starts with Bitcoin’s original payment protocol based on IP addresses—possibly where Bitcoin “addresses” got their name—and works it way through base58check addresses to the improvements introduced in bech32(m).
Fee management was briefly described in earlier editions of the book, but with recent development of Bitcoin’s fee market we now go into much more detail. We describe both RBF and CPFP fee bumping. We also describe cases where they don’t always work (transaction pinning) and near-term partial solutions for contract protocols such as package relay.
Scriptless threshold signatures can be easily explained as a variation of scriptless multisignatures with one extra feature (verifiable secret sharing), which is exactly how Gregory Maxwell privately explained them to me and another developer several years ago when we were having trouble following development discussion. We again take our inspiration from him in providing a highly comprehensible explanation.
Compact block filters are a new way for lightweight clients to learn about transactions affecting their wallets. It’s more private for clients and less problematic for nodes. We describe the principles they’re based on using simple arithmetic and rolls of a pair of dice, giving readers a solid foundation before we look at implementation details.
Compact blocks simultaneously sped up block propagation and significantly reduced the bandwidth requirements to run a relaying full node. We describe how it works. We also describe the FIBRE block relay system that builds on compact blocks to provide even faster block relay among peers who can be trusted not to perform denial-of-service attacks against each other.
BIP8 and speedy trial are new ways to activate soft forks. We don’t go into much detail—I have no idea what we’ll actually use for the next soft fork activation—but we look at some of the activation method features that were widely discussed during the activation of taproot in 2021.
A new appendix is added after the copy of Satoshi Nakamoto’s original paper describing Bitcoin. The new appendix, whose addition was suggested by Matthew Zipkin, is a slightly updated version of my 2016 errata to the Bitcoin paper that describes differences between the version of Bitcoin described by Nakamoto and what was actually implemented by Nakamoto and later developers.
(The source code for the book text is available on GitHub under a CC BY-NC-ND license.)
What's New