Oddbean new post about | logout
 Excellent summary. At a low level I think it's also important to point out that Schnorr sigs allow us to remove multisignature complexity from bitcoin consensus. ECDSA multisignature operations are performed in bitcoin script which reduces privacy and increases blockspace usage. Taproot multisig all happens off-chain, which brings huge benefits that are still being explored with novel protocols. 
 Nit: taproot also has script multisig (op_checksigadd , a new multisig opcode), and it's useful separately to musig or frost etc. Good point about outside consensus, and more generally schnorr is much more amenable to sophisticated cryptographic techniques than ecdsa was. 
 Outside consensus also means data retention problems now are thrust onto the user. Interesting trade off and desireable, methinks.  
 Interesting point. I think taproot is not actually an improvement in terms of data availability for the most common multisig setups. Most ECDSA multisig addresses hash the script so you need to keep it safe off-chain. If you lose your wallet descriptor (which contains the script) you get rekt because you can't spend the UTXO, even if you have the right signatures.

This is why you always want to store the descriptor in physical format along with each private key. You don't know which key will get got so you need redundant copies.

A cool project I don't have time for would be to encrypt your wallet descriptor using your master key and store it as an inscription recoverable using only that private key. You still have to pick some kind of standardized wallet descriptor to go from master key to that first address, but this could just be a bip or some other standardized protocol.

It would be fun and educational to build but limited impact. 
 nostr:nprofile1qqsdnpcgf3yrjz3fpawj5drq8tny74gn0kd54l7wmrqw4cpsav3z5fgpz4mhxue69uhk2er9dchxummnw3ezumrpdejqz9rhwden5te0wfjkccte9ejxzmt4wvhxjmcprpmhxue69uhhyetvv9ujuumwdae8gtnnda3kjctvl3x2lg