Hi everyone,<br /><br />I'd like to propose a new native SegWit output type: Pay to Schnorr Key Hash (P2SKH).<br /><br />== The problem ==<br /><br />The two most relevant output types today each solve half the problem:<br />- P2WPKH has a compact 22-byte scriptPubKey, but uses ECDSA and puts the full 33-byte compressed public key in the witness (~108 witness bytes per input).<br />- P2TR uses Schnorr signatures (64-byte witness), but embeds the full 32-byte x-only public key directly in the scriptPubKey, making outputs 12 bytes larger than P2WPKH and exposing the key in every unspent output.<br /><br />Neither type achieves both a compact output and a compact witness simultaneously.<br /><br />== The proposal ==<br /><br />P2SKH uses OP_2 &lt;hash160(P.x)&gt; as the scriptPubKey (22 bytes, same as P2WPKH). Spending requires a single 64-byte Schnorr signature. Verification works by key recovery: given the signature (R, s) and the challenge e = TaggedHash("P2SKH/challenge", R.x || hash160(P.x) || msg), the verifier recovers P = e^-1 * (s*G - R) and checks that hash160(P.x) matches the program. The sighash reuses the BIP341 transaction digest, so cross-version replay is prevented by the scriptPubKey commitment.<br /><br />The result is the smallest combined footprint of any current single-key output type — a 22-byte output with a 64-byte witness — while keeping the public key off-chain until spending.<br /><br />== Tradeoffs ==<br /><br />The key-recovery step costs roughly one extra field inversion and scalar multiplication compared to direct Schnorr verification. This is the price of the 12-byte output size reduction.<br /><br />== Open questions ==<br /><br />1. BIP360 also claims witness version 2. If both proposals advance, one needs to move. Version 3 seems like a natural alternative for P2SKH.<br />2. Naming — "P2SKH" follows the established pattern but "P2TRKH" has been suggested to emphasise Schnorr/taproot lineage. Opinions welcome.<br /><br />Full draft: https://github.com/sashabeton/bips/blob/3cb9e07984b571e9510370ab7e7218620be580dc/p2skh.md<br />PoC implementation: https://github.com/bitcoin/bitcoin/pull/34826<br /><br />Thanks in advance for any feedback.<br />

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoindev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href="https://groups.google.com/d/msgid/bitcoindev/3dcadd5d-702a-4e6c-ad6c-2ddfe68ec73en%40googlegroups.com?utm_medium=email&utm_source=footer">https://groups.google.com/d/msgid/bitcoindev/3dcadd5d-702a-4e6c-ad6c-2ddfe68ec73en%40googlegroups.com</a>.<br />