Taproot (BIP 340) is an upgrade to Bitcoin which brought several new features (Schnorr Signatures, Taproot & Tapscript).

Schnorr Signatures

Schnorr Signatures allows key aggregation. When multiple parties want to sign the same message, they must each include their public key and signature. Schnorr public keys and signature can be aggregated such that, if three parties want to sign a transaction, they can combine their three public keys to form a single public key. They can combine their three signatures to form a single signature which is valid for the aggregate public key. A verifier must only verify a single signature and public key in order to be sure that all three parties signed the message.


Taproot includes Merkelized Alternative Script Trees (MAST) which allow users to lock outputs to multiple scripts.

Imagine that you want lock an UTXO with two unlocking possibilities : Either Alice sign the transaction or Bob and Carole sign together the transaction. Before Taproot, the entire script has to be revealed at the spend time.

With MAST, a Merkle tree is used to summarize the collection of possible spending scripts. Instead of having several scripts to lock a transaction, you can write different scripts on different leaves of the tree. The UTXO is locked to the Merkle root of these scripts.

graph TD %% ============================================================================================================= %% Transaction INPUT0["Input 0"] INPUT1["Input 1"] OUTPUT0["Output 0"] OUTPUT1["Output 1 (Taproot)"] OUTPUT2["Output 2"] TRANSACTION["Bitcoin transaction"] INPUT0 --> TRANSACTION INPUT1 --> TRANSACTION TRANSACTION --> OUTPUT0 TRANSACTION --> OUTPUT1 TRANSACTION --> OUTPUT2 %% ============================================================================================================= %% Taproot OUTPUT1 --> TAPROOT_ROOT_HASH["Taproot root hash"] TAPROOT_ROOT_HASH --> HASH12["Hash(1&2)"] TAPROOT_ROOT_HASH --> HASH3["Hash(3)"] HASH12 --> HASH1["Hash(1)"] HASH12 --> HASH2["Hash(2)"] HASH1 --> SCRIPT1["Script 1
Requires alice & bob's signatures"] HASH2 --> SCRIPT2["Script 2
Requires alice's signature"] HASH3 --> SCRIPT3["Script 3
Requires bob's signatures & time lock"]

When someone will want to spend it, he will only have to provide a single leaf’s script, a merkle proof to show inclusion in the tree, and fulfillment of the spending conditions of the script. Bitcoin will check that the unlocking script provided is included in the merkle tree and run it!

The MAST a tree of ORs (no ANDs and no IF, ELSEs). You can have ANDs and IF ELSEsn, but they are contained within leaves not between leaves.


Tapscript (BIP 342) adds and updates several opcodes. These new scripts are used to verify Taproot spends and Schnorr signatures, and they are collectively known as Tapscript.