Bitcoin Taproot, Tapscript, and MAST

Bitcoin's Taproot upgrade, activated at block 709,632 on November 14, 2021, was Bitcoin's most significant protocol upgrade since SegWit in 2017. Taproot bundled three Bitcoin Improvement Proposals — BIP340 (Schnorr Signatures), BIP341 (Taproot), and BIP342 (Tapscript) — into a single softfork that improved transaction efficiency, privacy, and script expressiveness simultaneously. Understanding Taproot is essential for understanding Bitcoin's capabilities and the technical foundation for developments like Ordinals, RGB, and the Lightning Network's ongoing evolution.

BIP340: Schnorr Signatures

Bitcoin previously used ECDSA (Elliptic Curve Digital Signature Algorithm) for transaction signatures. Taproot replaced this with Schnorr signatures for single-key transactions, providing three key improvements. Linear signature aggregation: Multiple Schnorr signatures can be mathematically combined into a single signature that verifies all signers simultaneously. For multisig transactions (requiring M-of-N signatures), this means a 3-of-5 multisig transaction produces a single aggregate signature indistinguishable from a regular single-key transaction on-chain — dramatically improving multisig privacy and reducing transaction size. Smaller signatures: Schnorr signatures are 64 bytes versus ECDSA's 71–72 bytes, saving approximately 10% on signature data size. Better security proofs: Schnorr's security properties are simpler to formally prove than ECDSA, and the scheme supports more natural construction of complex protocols like threshold signatures, blind signatures, and adaptor signatures used in Lightning and atomic swaps.

BIP341: Taproot (MAST)

Taproot itself is a construction that combines a public key with a Merkelized Alternative Script Tree (MAST). Before MAST, complex Bitcoin scripts (multisig, timelock conditions, hash preimage conditions) had to reveal their full condition set when spending, even if only one condition was used. A 5-way multisig with timelock fallbacks would reveal all those conditions in every transaction — wasting space and revealing information about the wallet's security setup.

MAST solves this via a Merkle tree of spending conditions. A Taproot output commits to a key path (a simple Schnorr public key spend) and optionally a script path (a Merkle root of alternative spending conditions). When spending, you either: use the key path (a simple signature — the script conditions are never revealed, as if they don't exist), or reveal only the specific script branch being used plus a Merkle proof that it's in the committed tree. Unused script branches remain permanently hidden.

Practical examples: a time-locked savings wallet where the owner can spend normally (key path) or a pre-committed beneficiary can claim after a time lock (script path, but the beneficiary condition is only revealed if the owner becomes unavailable). On-chain, a normal spend looks identical to a regular single-key transaction regardless of what script alternatives existed. This radically improves privacy for complex Bitcoin smart contracts.

BIP342: Tapscript

Tapscript is the updated scripting language used within Taproot's script path. It's largely compatible with existing Bitcoin Script but with several improvements: uses Schnorr signature verification opcodes instead of ECDSA, changes how OP_CHECKMULTISIG works (each signature independently verified rather than the non-linear batch checking), and adds OP_SUCCESS opcodes — undefined opcodes that always succeed, reserved for future upgrades to add new functionality via softfork without requiring any special handling from older nodes.

The OP_SUCCESS mechanism is significant: it means future Bitcoin upgrades (like OP_CAT for arbitrary data concatenation, or covenant opcodes for UTXO-constraining scripts) can be implemented as Tapscript opcodes that older nodes simply treat as OP_SUCCESS. This enables more forward-compatible upgrade paths for Bitcoin's scripting capabilities.

Taproot's Role in Ordinals and Bitcoin L2s

Taproot unexpectedly enabled Bitcoin Ordinals inscriptions. The SegWit discount applied to witness data and the Taproot upgrade allowed arbitrary data (images, text, code) to be embedded in Taproot script-path witnesses up to the 4 MB block limit. Ordinals creator Casey Rodarmor exploited this to inscribe arbitrary content on individual satoshis, creating Bitcoin's native NFT-like system. This was entirely unintended by the Taproot upgrade designers but emerged naturally from the expanded script capabilities.

For the Lightning Network, Schnorr signatures and Taproot enable: point time-lock contracts (PTLCs) replacing hash time-lock contracts (HTLCs) with better privacy and eliminating the correlation vulnerability, musig2-based channel opens that look like single-key transactions on-chain, and more efficient channel factories and multi-party Lightning constructions. The full exploitation of Taproot in Lightning infrastructure is still being rolled out as of 2026.

Adoption and Taproot Outputs in 2026

Taproot output type adoption grew steadily after activation. As of 2026, approximately 55–60% of new Bitcoin outputs are Taproot P2TR (pay-to-taproot) type, up from near-zero at activation. Major exchanges (Coinbase, Binance) and wallets (Bitcoin Core, Sparrow, BlueWallet, Ledger) now default to Taproot addresses. Slower-to-update custodians and institutions still create legacy P2PKH or P2WPKH outputs, but the trajectory is toward full Taproot dominance over the next 2–3 years as legacy output types are gradually phased out.