How Taproot makes the Lightning Network more private and efficient.
In February, the Bitcoin community dedicated significant energy to discussing how Taproot, a soft fork activated by the network at the end of 2021, can improve the Lightning Network in terms of privacy and costs. But let’s start from the beginning: what is the Lightning Network and why might Taproot represent a breakthrough?
Lightning Network – what it is and how it works
The Lightning Network is a “layer 2” solution built on top of Bitcoin, designed to make transactions faster and cheaper. It works by opening payment channels between two users who want to exchange funds frequently.
Let’s suppose Alice and Bob want to open a channel. To do so, they publish an on-chain transaction that sends money to a special address, a 2-of-2 multisig. Once the transaction is confirmed, the channel is operational and Alice and Bob can begin exchanging off-chain payments. When they decide to close the channel, they publish another on-chain transaction that distributes the funds to their respective parties.
This allows Alice and Bob to exchange potentially infinite payments using only two on-chain transactions: one to open the channel and one to close it. In this way, not only are transaction costs drastically reduced, but privacy is also increased, since Alice and Bob can exchange funds off-chain without having to publish each individual payment on the blockchain.
However, there’s one aspect to keep in mind: the opening and closing of a channel can be recognizable on-chain. In some cases, such as non-cooperative closures, the transactions are particularly evident; in others, such as cooperative openings and closings, they are less easily identifiable, but still distinguishable from “classic” single-sig transactions.
Private or public channels
Once the channel is open, Alice and Bob can choose whether to keep it private, meaning not letting the Lightning Network know of its existence, or to announce it, allowing other users to use it to route payments. Thanks to the presence of many announced channels, Charlie and Daniela can exchange funds even without having a direct channel between them.
When Alice and Bob announce their channel, they send a message to the network saying:
“Hello, we are Alice and Bob and we have opened a channel. Here is the ID of the opening transaction: <txid>.”
Taproot and privacy improvements
Taproot introduced a new type of signature in Bitcoin, called Schnorr signature. Schnorr signatures are particularly interesting because they allow the use of a cryptographic trick called MuSig.
MuSig allows multiple signers to produce a single signature together, which appears as a normal signature generated by a single user. So, even if a Lightning channel uses an N-of-N multisig, the resulting signature is indistinguishable from that of a single key. In other words, to the eyes of an external observer, an opening or closing transaction of a Lightning channel based on Taproot+MuSig can appear as any other Bitcoin transaction.
The result is a huge improvement in terms of privacy, because it makes it difficult to distinguish Lightning transactions from ordinary ones. Or almost…
Open questions
Remember what we said earlier? When Alice and Bob open a channel and want to make it public, they must announce the ID of the opening transaction to the network. Therefore, even if the on-chain transaction looks like a normal Taproot transaction, the announcement itself reveals that it’s a Lightning channel, partially compromising privacy.
Currently, the only Lightning implementation that supports Taproot channels is LND, but it only allows opening private channels: the protocol for announcing them is not yet ready, and it’s precisely this protocol that has been the subject of various discussions in February.
In fact, there is a proposal to expand the announcement protocol to support Taproot. With this proposal, when Alice and Bob want to open a channel, they would send a message to the Lightning Network like:
“Hello, we are Alice and Bob and we have opened a taproot channel. Here is the ID of the opening transaction: <txid>.”
This is where an interesting proposal advanced by developer Johan Halseth comes into play: what if, instead of including the ID of the opening transaction in the announcement, a zero-knowledge proof was used? Such proof would demonstrate that the transaction occurred and that the corresponding UTXO (unspent output) is still valid (meaning the channel is open), without revealing which transaction it is.
The opening message would therefore become:
“Hello, we are Alice and Bob and we have opened a Taproot channel. Here is proof that we have opened the channel, but which does not reveal which is truly the opening transaction: <zero-knowledge proof>.”
This specific solution would not require changes to the Bitcoin network, but only a technology called Utreexo, which is still in development.
Where are we today?
The discussion on how to best integrate Taproot into the Lightning Network is still ongoing. Many developers are evaluating which cryptographic primitives make more sense to use.
Despite the enthusiasm, however, we are still far from seeing Lightning fully exploit the potential of Taproot – Bitcoin is not finished! There is still plenty of room for improvements and innovations.
In other words, the best is yet to come!
