bitcoin-dev
Should Graftroot be optional?
Posted on: May 23, 2018 13:50 UTC
Pieter Wuille, a Bitcoin developer, raised the question of whether Taproot and Graftroot deployment may require an explicit enable or disable feature for the Graftroot spending path.
While there are no strong reasons to necessitate such a feature, Wuille sought other opinions. On a related note, Graftroot has been found to break blind signature schemes. This can be seen in a protocol where UTXOs controlled by the same key X require blind signatures on receiving new funds, but parties cannot verify what they are signing. There are also concerns regarding SIGHASH_NOINPUT, which Wuille would like to see as disable-able. A proposal to include a free "flags" byte in the witness was suggested, although some argue that including a space-consuming optional Graftroot in the Taproot proposal later may not be necessary as it would not incur any opportunity cost in blockchain efficiency. Signature aggregation is also an issue, with developers stating that it is important to preserve the “one signature = at most one input” rule for certain outputs.