From: sashabeton <sashabeton2007@gmail.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Subject: [bitcoindev] [BIP proposal] Pay to Schnorr Key Hash (P2SKH)
Date: Mon, 16 Mar 2026 01:51:45 -0700 (PDT) [thread overview]
Message-ID: <3dcadd5d-702a-4e6c-ad6c-2ddfe68ec73en@googlegroups.com> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 2508 bytes --]
Hi everyone,
I'd like to propose a new native SegWit output type: Pay to Schnorr Key
Hash (P2SKH).
== The problem ==
The two most relevant output types today each solve half the problem:
- P2WPKH has a compact 22-byte scriptPubKey, but uses ECDSA and puts the
full 33-byte compressed public key in the witness (~108 witness bytes per
input).
- P2TR uses Schnorr signatures (64-byte witness), but embeds the full
32-byte x-only public key directly in the scriptPubKey, making outputs 12
bytes larger than P2WPKH and exposing the key in every unspent output.
Neither type achieves both a compact output and a compact witness
simultaneously.
== The proposal ==
P2SKH uses OP_2 <hash160(P.x)> as the scriptPubKey (22 bytes, same as
P2WPKH). Spending requires a single 64-byte Schnorr signature. Verification
works by key recovery: given the signature (R, s) and the challenge e =
TaggedHash("P2SKH/challenge", R.x || hash160(P.x) || msg), the verifier
recovers P = e^-1 * (s*G - R) and checks that hash160(P.x) matches the
program. The sighash reuses the BIP341 transaction digest, so cross-version
replay is prevented by the scriptPubKey commitment.
The result is the smallest combined footprint of any current single-key
output type — a 22-byte output with a 64-byte witness — while keeping the
public key off-chain until spending.
== Tradeoffs ==
The key-recovery step costs roughly one extra field inversion and scalar
multiplication compared to direct Schnorr verification. This is the price
of the 12-byte output size reduction.
== Open questions ==
1. BIP360 also claims witness version 2. If both proposals advance, one
needs to move. Version 3 seems like a natural alternative for P2SKH.
2. Naming — "P2SKH" follows the established pattern but "P2TRKH" has been
suggested to emphasise Schnorr/taproot lineage. Opinions welcome.
Full draft:
https://github.com/sashabeton/bips/blob/3cb9e07984b571e9510370ab7e7218620be580dc/p2skh.md
PoC implementation: https://github.com/bitcoin/bitcoin/pull/34826
Thanks in advance for any feedback.
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/3dcadd5d-702a-4e6c-ad6c-2ddfe68ec73en%40googlegroups.com.
[-- Attachment #1.2: Type: text/html, Size: 2859 bytes --]
next reply other threads:[~2026-03-16 10:48 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-16 8:51 sashabeton [this message]
2026-03-16 11:12 ` Martin Habovštiak
2026-03-16 11:43 ` Alex
2026-03-16 14:36 ` sashabeton
2026-03-16 15:57 ` Martin Habovštiak
2026-03-16 15:43 ` Alex
2026-03-16 16:00 ` sashabeton
2026-03-16 16:25 ` Martin Habovštiak
2026-03-24 6:02 ` aaron.recompile
2026-03-16 19:29 ` Alex
2026-03-17 7:23 ` Saint Wenhao
2026-03-17 7:40 ` sashabeton
2026-03-17 18:00 ` waxwing/ AdamISZ
2026-03-17 18:30 ` waxwing/ AdamISZ
2026-03-18 5:24 ` Saint Wenhao
2026-03-18 15:50 ` "wrapped Taproot" from RIPEMD-160 collisions, Was: " Ethan Heilman
2026-03-16 11:38 ` Saint Wenhao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3dcadd5d-702a-4e6c-ad6c-2ddfe68ec73en@googlegroups.com \
--to=sashabeton2007@gmail.com \
--cc=bitcoindev@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox