Graftroot: Private and efficient surrogate scripts under the taproot assumption

A non-interactive schnorr aggregation trick can be used to merge the S values of all graftroots and signatures in a transaction into a single aggregate. This reduces the overhead to ~32 bytes, which is the same as taproot's overhead. The published grafts are then bound to a particular transaction, which could help avoid some mistakes. However, the binding of grafts to a specific transaction might not require this aggregation. It may be possible to sign H(txid, script) instead of H(script). Its impact on aggregation is unknown.