Taproot Schnorr MAST: 2021 Bitcoin softfork explained

Taproot is the most significant Bitcoin softfork since SegWit in 2017. Activated on 14 November 2021 at block height 709 632, it combines three BIPs that complement each other : Schnorr (signatures), Taproot (output structure), Tapscript (enhanced script language). The whole was crafted over more than two years by Pieter Wuille, Tim Ruffing, Anthony Towns, Greg Maxwell and several other contributors, without the controversy of the previous softfork.

Taproot's appeal rests on three operational propositions. First, Schnorr signatures replace ECDSA in new scripts : smaller, aggregatable, provably secure under a standard cryptographic assumption. Second, Taproot outputs make a 3-of-5 multisig indistinguishable from a single-sig payment to external observation, improving privacy across the whole network. Third, MAST lets contracts with multiple branches be encoded without revealing the unused branches to the chain.

Five years later, Taproot adoption exceeds 25 % of recent UTXO outputs, MuSig2 is implemented in Sparrow, Specter, Casa and Unchained, and the first Lightning channel factory applications use Taproot. This article dissects each of the three BIPs, MuSig2 aggregation, MAST, the adoption state, and concrete applications.

BIP 340 : Schnorr signatures

Bitcoin used the ECDSA algorithm (Elliptic Curve Digital Signature Algorithm) on the secp256k1 curve since 2009. ECDSA works but has two historical limits : its signatures do not aggregate natively, and its security proof is less clean than that of other signature schemes. Claus-Peter Schnorr proposed in 1988 an alternative scheme (Schnorr signatures) whose patent expired in 2008, just in time for Bitcoin, but Satoshi chose ECDSA for industrial standardisation reasons.

BIP 340 (Pieter Wuille, Jonas Nick, Tim Ruffing, 2020) introduces Schnorr signatures in Bitcoin via Taproot. Three mathematical properties distinguish Schnorr from ECDSA. First, linearity : the sum of two Schnorr signatures is still a valid Schnorr signature, which enables native aggregation (we come back to it with MuSig2). Second, the security proof in the random oracle model is more direct, under the standard discrete logarithm assumption. Third, signatures are slightly smaller (64 bytes versus 71-72 for ECDSA), which reduces the weight of multisig transactions.

In practice, an average user does not see the difference when signing a single-sig Taproot transaction : their wallet uses Schnorr under the hood, the transaction lands in the block, the recipient cashes in. But the cryptographic economy changes with aggregation. A traditional 3-of-5 multisig publishes 3 distinct signatures (3 × 71 bytes) plus the unlocking script. A 3-of-5 Schnorr+MuSig2 multisig publishes a single aggregated signature (64 bytes), indistinguishable from a single-sig.

BIP 341 : Taproot outputs and MAST

BIP 341 defines the format of Taproot outputs. A Taproot address starts with bc1p (instead of bc1q for SegWit v0). It encodes a single public key that can be unlocked in two ways : by a Schnorr signature (key-spend path, the most frequent case), or by executing a script chosen from a tree of possible scripts (script-spend path, for complex contracts).

The MAST mechanism (Merklized Abstract Syntax Tree) underlies the script-spend path. The wallet author defines a tree of possible scripts (for example : "Alice's single-sig", "2-of-3 multisig", "emergency script after 6 months"). Each leaf is a script. The Taproot public key is derived from a Merkle root summarising the tree, without revealing the individual scripts. At spend time, you pick the leaf you want to execute, prove its inclusion in the tree via parent hashes, and run it. Other leaves stay secret forever.

Consequence for privacy : as long as the key-spend path is used (the typical case), no external observer can guess whether or not a MAST tree exists behind. A single-sig, a 2-of-3 multisig with key aggregation, a complex time-locked vault all look like the same bc1p address to observation. This is Taproot's big privacy step, more important in the long run than the size gains.

BIP 342 : Tapscript

Tapscript is the updated version of the Bitcoin Script language usable in the script-spend path of a Taproot output. It keeps most of the old Script (the usual opcodes OP_DUP, OP_HASH160, OP_CHECKSIG, etc.) but introduces three important changes. First, OP_CHECKSIG and OP_CHECKSIGVERIFY now use Schnorr signatures instead of ECDSA. Second, OP_CHECKMULTISIG is removed (it was a source of overhead and ambiguity) and replaced by OP_CHECKSIGADD, a more flexible opcode that is easier to analyse.

Third, Tapscript prepares the ground for future extensibility via Tapleaf versions. Each leaf of the MAST tree carries a version number telling how it should be interpreted. Version 0 is current Tapscript ; versions 1-255 are reserved for future evolutions (potentially including OP_CTV, OP_VAULT and the covenants under discussion). This extensibility reduces the cost of future soft-forks since they can add new opcodes without breaking existing things.

For a wallet developer, Tapscript is nicer to use than the old Script. For an end user, it is transparent. Backward compatibility is guaranteed : P2PKH, P2SH, P2WPKH and P2WSH outputs (the old formats) keep working indefinitely ; Taproot is purely additive.

MuSig2 : aggregating keys and signatures

MuSig2 (Nick, Ruffing, Seurin, 2020) is the Schnorr signature aggregation protocol used in practice in 2026. It lets N signers combine their public keys into a single aggregated public key (which becomes the Taproot address), then jointly produce a single Schnorr signature valid under that aggregated key. The result looks exactly like a single-sig to the blockchain, while it took N participations to produce it.

The practical benefit is massive for modern multisigs. A 2-of-2 between spouses, a 3-of-5 company, a hardware-wallet-backed 2-of-3 use MuSig2 to produce a single signature. The transaction is smaller (lower fees), faster to validate, and confidential against external observers who can no longer distinguish a multisig from a personal wallet. Casa and Unchained switched their new multisigs to MuSig2 from 2024 ; Sparrow and Specter have it in 2025.

The protocol needs two communication rounds between signers (an exchange of committed nonces, then an exchange of partial signatures), which is compatible with a collective signature performed via PSBT (Partially Signed Bitcoin Transaction) on separate hardware wallets. The underlying cryptography is trickier than ECDSA (nonces must be generated correctly or risk key leakage), which means implementations must be careful. The libsecp256k1 library and BIP327 standardise the protocol.

Adoption state in 2026

Five years after activation, Taproot adoption has progressed by steps. Early 2022, fewer than 1 % of issued outputs used the bc1p format, mainly test transactions and a few early adopters. End 2022, ~3 %. End 2023, ~10 %, driven by the Ordinals/Inscriptions frenzy which uses Taproot massively. End 2024, ~18 %. In 2026, we regularly pass 25 % of Taproot outputs in recent blocks.

Wallet-side adoption is now widespread. Bitcoin Core generates Taproot addresses by default since version 24 (2022). Sparrow, Specter, Electrum, BlueWallet, Phoenix, Muun, Wallet of Satoshi, Aqua, Nunchuk : all support sending and receiving. On the custodial multisig side, Casa, Unchained and Liana have shifted their new setups to Taproot+MuSig2 between 2024 and 2026. Older multisig setups on P2WSH (bc1q) formats remain functional but do not benefit from the privacy gains.

Residual brakes mainly come from exchanges and institutional providers. Many accept withdrawals to Taproot (sending to a bc1p address), but few use Taproot for their internal moves, fearing incompatibilities with their compliance and accounting tools. This inertia is dissolving : Coinbase announced in 2025 a progressive switch, Kraken in 2026. When institutional exchanges switch, Taproot will become the majority format.

Applications : modern multisig and Lightning

Confidential multisig. Before Taproot, a 2-of-3 multisig published in the chain its unlock script at spend time, which revealed to the observer that it was a multisig and even how many cosigners existed. With Taproot+MuSig2, the multisig is indistinguishable from a single-sig. It is the most tangible anonymity gain for advanced users : a pro wallet with 3 hardware wallets in multisig looks like any personal wallet to the blockchain.

Vaults and time-locked safes. Liana (Wizardsardine, 2023) uses MAST to build vaults with multiple spend paths : "Alice's main key" (key-spend, instant), or "Alice plus lawyer after 6 months of inactivity" (script-spend MAST, recovery branch), or "heir after 3 years" (another branch). As long as Alice uses the main path, the recovery branches stay secret to the blockchain. It is the major step forward for Bitcoin inheritance.

Lightning channel factories. As mentioned in the advanced Lightning article, channel factories need Taproot to work efficiently. A Taproot factory looks like a single-sig to the chain while it internally hosts several Lightning channels between several participants. The on-chain cost is mutualised, privacy is preserved. First experimental rollouts in 2025, general availability hoped for 2027-2028. This is Lightning's next big step, and it relies entirely on Taproot.

Disclaimer

Educational and informational content only: not investment, tax or legal advice. Bitcoin carries significant risks, including high volatility and the possible loss of invested capital. Each reader remains responsible for their decisions; when in doubt, consult a qualified professional in your jurisdiction.

Taproot, Schnorr and MAST : understanding the 2021 upgrade