Designing a foolproof script upgrading mechanism

In just a few days, bitcoin will activate one of its most significant upgrades, Taproot. Taproot is impressive in many different ways, but perhaps its most remarkable aspect is that it removes the last barriers to using arbitrary scripts in bitcoin.

For years, the bitcoin community has produced novel ideas on how to improve the experience of using bitcoin by tapping into its scripting capabilities. These ideas range from scaling improvements (payment channels, channel factories), to privacy enhancements (atomic swaps, coin pools), to security and recovery guarantees (time-lock vaults, social recovery).

Despite the potential benefits of these improvements, most bitcoin wallets are still using some variation of the original pay-to-public-key script. Why is this?

The answer lies in the lack of efficiency, privacy, and interoperability when using other scripts.

Efficiency and privacy at the protocol layer

While using arbitrary scripts has been possible since 2011 (when BIP13 introduced P2SH), practical limitations have strongly disincentivized their use in end-user products. Using more powerful scripts meant paying higher transaction fees — sometimes prohibitively high. Even worse, uncommon scripts resulted in an almost complete loss of on-chain privacy: you can search the blockchain and locate all transactions ever made with any particular script.

This is precisely the problem that Taproot solves. By combining Taproot and Musig, arbitrary scripts are now indistinguishable from regular pay-to-public-key scripts. What's particularly fascinating about Taproot's approach is that it aligns individual economic incentives (paying less in fees) with increased privacy for all users.

By making arbitrary scripts efficient and private, Taproot has the potential to unleash a wave of latent innovation in the ecosystem. But this innovation won't click into place until it reaches the hands of users. And this happens at the wallet layer.

Recovery interoperability at the wallet layer

Recovery interoperability is a crucial property of self-custodial wallets: it guarantees that users can recover their funds even if the wallet provider disappears. Since the introduction of mnemonics in 2013 and standard derivation paths in 2014, we've had a mostly interoperable recovery mechanism for importing and sweeping funds in pay-to-public-key scripts.

However, mnemonics rely on all wallets using a single key with the same, single script: pay-to-public-key. If we want to keep (and improve!) recovery interoperability in a world of payment channels and multisig vaults, we need to work on new backup and recovery mechanisms.

Enter output script descriptors (BIP380 to BIP386). Designed by Pieter Wuille and Andrew Chow, descriptors provide a human-readable way to express any combination of keys, scripts, derivation paths, and address types without ambiguity. These descriptors allow a program to discover and spend funds from any given script in a fully interoperable manner.

Wallets can now produce their output descriptors and immediately gain recovery interoperability with other descriptor software, such as Bitcoin Core. Many of them are already doing so!

Output descriptor upgrading

While descriptors solve recovery interoperability for any given wallet setup, these setups change over time. As bitcoin evolves, new address types and scripting capabilities emerge, while ideas like payment channels mature — think eltoo.

Traditionally, wallet providers introduced these improvements by prompting users to create a new wallet. This mechanism places a heavy burden on users. They need to write down a new set of mnemonics to keep safe in cold storage, then move some funds to the new wallet (paying on-chain fees), and end up with their funds fragmented in different wallets based on their address type and script.

In a world of rapidly evolving technologies, we need to design a foolproof descriptor upgrading mechanism that lowers the friction of adopting new address types and scripts. How can a wallet backup be both secure and easy to upgrade?

Muun's Emergency Kit was designed for this. The Emergency Kit is a PDF document that contains your private keys and output descriptors. All sensitive material is securely encrypted with a cold recovery code. As a result, the Kit is harmless by itself and safe to store in the cloud.

Each time a new descriptor is needed, the user can easily upgrade the Emergency Kit. By upgrading before ever using the new descriptor, funds are recoverable at all times. Meanwhile, the cold recovery code remains fixed and safe in cold storage.

Since multiple descriptors can coexist in the same wallet, there's no need to fragment funds or make transactions to move them. Users can choose whichever address type they prefer, and adopt new ones as the ecosystem evolves.

Taproot and Musig in Muun

Today we are releasing the new descriptor upgrading mechanism and using it for the first time with Taproot and Musig. Stay tuned for an in-depth walkthrough of Muun's new output descriptor.