Taproot Playground ๐ฑ
Build Taproot spend conditions, key tweaks, and MAST trees interactively.
Signers (Real Keys)
โ Real secp256k1
Schnorr Math (BIP340)
๐ Key Aggregation
P_agg =
Linear property: combined key looks like a single normal key on-chain!
โ๏ธ Schnorr Signature
# For each signer i:
s_i = k_i + H(R || P || m) ร x_i
# Where:
k = random nonce
R = k ร G (nonce point)
P = public key
m = message
x = private key
R = k ร G (nonce point)
P = public key
m = message
x = private key
โ
Verification
s ร G = R + H(R || P || m) ร P
Verifier checks if the equation holds without knowing the private key!
Why Schnorr over ECDSA?
- โ Linearity: Signatures can be aggregated (MuSig)
- โ Non-malleable: Cannot be modified without invalidating
- โ Privacy: n-of-n multisig looks like single-sig
- โ Simpler: Provably secure with random oracle model
Linearity
Schnorr signatures are linear. Sig(A) + Sig(B) = Sig(A+B).
This allows multiple parties to combine keys and signatures into one, saving space and privacy.
Efficiency
Aggregated signatures look like a single signature on-chain. This makes multisig transactions cheaper and indistinguishable from regular ones.
Simplicity
Unlike ECDSA, Schnorr signatures are provably secure and non-malleable by default, making them the gold standard for modern Bitcoin.