From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 23 Mar 2026 02:54:30 -0700 Received: from mail-qt1-f192.google.com ([209.85.160.192]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1w4bzR-0004GI-6A for bitcoindev@gnusha.org; Mon, 23 Mar 2026 02:54:30 -0700 Received: by mail-qt1-f192.google.com with SMTP id d75a77b69052e-5090cc6a7d2sf242349841cf.2 for ; Mon, 23 Mar 2026 02:54:28 -0700 (PDT) ARC-Seal: i=3; a=rsa-sha256; t=1774259662; cv=pass; d=google.com; s=arc-20240605; b=W+OK+kvZE4Qpqoe9YNiQbh1hXiv3yNFqSn564m1UWoQMs7H6S/9TqVVi68KOWofFw2 ySiHPdfDg7wsN+vULcGHohYB68mXnqJ/aRV3l4uswZF+CYOAE7tElp8uCvEMAU12K/RH cgwEYKtMlTUup9Gf0pfoF4DAHwycowc45mGi8R966jzUA5cQUuWLxlwz2rG1UXgbmW2O vVRR1ISEhYoocPCz3Gjazme3i25SJR14VPQXupkkjpVMMhxcRcRWDjfkRp5fjOKQwusF sDHNe1ntm8jjqYgtNXy1gCxCGQBGWWMBUO8jNCYK3geyOZzu1FFIly9205okFbwyzpes 7rUw== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:sender:dkim-signature :dkim-signature; bh=FYq8lpNbghx7mghZ3pvri35dJh3YsY+8slmvyc3eOSY=; fh=BiMRHoXfDFZzCd5rXr7oZ3Bk1KXg7HGfLXe8MkLQH/0=; b=Z1EPF7Npwgh4POkkSA0OKm+dyFAd6wvbr0536XPEsi6DIb+FzP+/ulWV44xCf+4//q LNEKWoEoJdHo12HETrkJ2Vit7H+hRytjpHUnz83kyWM0Oeo6ct7P6+zpRuuOAag0Ffvz R9ITcsUWJnLgSfwdnfSlOeoEpg0RRy2QSuxTLYTmBv0gVJ3tYJofGMeu7Mq1cFfQ1MJN 9gQkl6HstMBaQt8vOzjcFzbuNbQkHOch8GhM89mZTU3wqgVXxcb54p2ZW/QbFX40lPgW jLVLRyHZ0N2hQl2/0RCdeqVbEKS7BifYSN+gy9Z5y5em6aCc5pW0x3V2I5qqd3GYvsuh ExzQ==; darn=gnusha.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=aZUxskCg; arc=pass (i=1); spf=pass (google.com: domain of martin.habovstiak@gmail.com designates 2607:f8b0:4864:20::c33 as permitted sender) smtp.mailfrom=martin.habovstiak@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1774259662; x=1774864462; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:sender:from:to:cc:subject:date:message-id :reply-to; bh=FYq8lpNbghx7mghZ3pvri35dJh3YsY+8slmvyc3eOSY=; b=vAjn4LVdV03Z1q9Lk7at/QJMFI9Hocx2KggNOxbdDC81A2DZW7uxGeOtIQLIymqInG NdqX2/qTWqnHSTjxZ2uTV7X5PWAQXSkH1tntJNhmg1bleD40Ak8IHF1qm2MTPXaG2Ewc tFExDfLavtLerBKvcAASH6Kpz16QOOqqSuahSp4xbWA4XMq2CXF3MwOW7xQm0Nsd0T2S D0KzxgYQ69LrQUJ/KEDejrgiL58ynzdimqZrT+roD0y6Vi9po4IAWX0/r4Z0lHlRzcu+ n/L7TPkVte1r0TklngFmfmVLOj449Z9YquP11GphoTjqXJEc7L0KouKeFM7oXeUkTJS0 x2Zw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1774259662; x=1774864462; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:from:to:cc:subject:date:message-id:reply-to; bh=FYq8lpNbghx7mghZ3pvri35dJh3YsY+8slmvyc3eOSY=; b=Vk82l/Y1zaVxwug9F5z+AmyBNr2YuPQbbQHEpIV0eUlO9N1iLi/rQjJFg2D21vbF4o V2uwLA6qn4Sl0zRdgMNo3xywz+4IY+rE6CUbcJIBKB9Ro1HFPFn4B8R02mAR7IKc+iGg qRdPxn8eESgsaiCg5xI+VJMksvvBI9EhiF72BNmJoQxAuaAssb/cQ9nWddz6d3uL9lve vGrsIzOlGXwlUfSW2any9fQc8f0UwvDI9jb8+SQ6KMy9e2ssQ/EyT4oqlaZfKdC+IvEd EXgY/+o522a7yHVTMtaME9MUCbK0+ZZBQkU0ouCU5J4Q9dxQG/s0K0dyMqqlmAANVJRv 2Dlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774259662; x=1774864462; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:x-gm-gg:x-beenthere:x-gm-message-state :sender:from:to:cc:subject:date:message-id:reply-to; bh=FYq8lpNbghx7mghZ3pvri35dJh3YsY+8slmvyc3eOSY=; b=L/n4j2H64dcUNSgRwFoauk3y81UrJ+SofEpA7LFGDpIN7qDMOY3rDYb0JYMzRnA72L gUqw9NcIXUJtnay/kb8Wcm4JmZKYTJKUOdvA2KXOhjgFygTjS8ycMAhjAH4FaJong3EI z56ShxtHrnJwv/PEoz5g4DxxOIYf5MlTAwOTo3YMOo2mLkXwTQl1a+1YUVJQ+Eh0YmmA eGP824BuStMA/zJ4XrdJn+2cCKqtphif4ABLMuHy4hjr4RYff2Tl5sb2r4qnjE9bM8uq AakKkAEkAjXW1gMt3ElpA8Bo+GN1/Rj6Y35Edxm4sR75ybmaaY43KJl/JsPf6oSGXuzX mrxg== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=3; AJvYcCXpmW5iy9f4j3Q7xHHeD2erV44mqXpy8M3S3P+a5dSC7KEGMTbbNJ0jEqsQJkKRx7LAd2r293blMfiM@gnusha.org X-Gm-Message-State: AOJu0YyumTIK2v8mFHakyWx3mqxJtTUtNSr3Jc4x96Kdgwpoh+DdUGnP /j6yli2tzxOU6Eed1mnL5xvht+l1snaRq74sJ/I0Ki3FyZ6o6JzuNr6m X-Received: by 2002:a05:622a:1489:b0:509:3257:c050 with SMTP id d75a77b69052e-50b3744a0cbmr184469421cf.24.1774259661963; Mon, 23 Mar 2026 02:54:21 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h="AYAyTiLuq+s80QfWWeWYme71oB35f/MkpCCtG6i+EP1ad2J6Lg==" Received: by 2002:a05:6214:1c0c:b0:89a:12a0:7ebc with SMTP id 6a1803df08f44-89c78053d6bls81585146d6.0.-pod-prod-05-us; Mon, 23 Mar 2026 02:54:16 -0700 (PDT) X-Received: by 2002:a05:620a:4103:b0:8cb:62c3:3690 with SMTP id af79cd13be357-8cfc7b7e772mr1596484185a.13.1774259656744; Mon, 23 Mar 2026 02:54:16 -0700 (PDT) Received: by 2002:a05:620a:6406:b0:8cd:90d4:fad8 with SMTP id af79cd13be357-8cdab9eb995ms85a; Mon, 16 Mar 2026 08:57:38 -0700 (PDT) X-Received: by 2002:a05:6122:1d91:b0:56a:f576:cfca with SMTP id 71dfb90a1353d-56b627f3a24mr4670411e0c.2.1773676658047; Mon, 16 Mar 2026 08:57:38 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1773676658; cv=pass; d=google.com; s=arc-20240605; b=WlV+iD9ZxzPtdbv6MpHqz+YlimfhIx809c0NjXCFG/Shq/UUzDGuCcbpneP7npShB+ NbAJErOc5oB61hNRsOFmbB08Ji7oR+gcpiOFFuYF4LLZMPhnlZBnuuGla3Ra35DNrG1+ ISz17mX9GOZNuZNUzzh6o53W8q/v6nh46K7QFeC9UHPpQ2kngwbzw9GVKMUC122nkDt1 RVbWV1Hf6NAC4/HPC5zCwTzrklFnGCPGhlZyRoU11P5k6KChyiG4jW8026WxhrhEf/AC X/G9qPkQIATgeZOWSc9U6Nt/f+cuT3Tfb3PTPzuXzh8O7xXc3OgHr8MbKlQP9R3sInFO 47Mw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=nYXxm8UpzWSKqA2dYn7FQnolRa7IJD9dzOFCYVuci1Y=; fh=mQ65DjksMfpG9wM24PB36rad6dWAmzL2MpuOdHPZPFg=; b=IVjq97TMxBBZBhNFzC8iISNwzBTJDxV3/oaYbJLIyAdPBRTReJV+LBm96Sy04nsv2w WHGZCpW2DtSGchnXsw+UFeTdXKYsiFF9+dsvED2aHiYCA1laBFJGmHlk9SO76b7AWQB0 gs3s9F0QWjsIelDLNfZ/PnN8uClT+dxPyVBHDWP+NAODk0rPehscbUCbUVUHj4zXxIpH BS+IeERYkplBkcI98zmWaTn4Wcq1Xi9OLYjJIUA7me3Hon7hvnIg29Zw3ZKgHDU53YyW jkjEOnAD096aSRixQwRmIR3JN4qUTy7saikmW4qWnU31uAuwSsIMOHl2a8IhAcd0QSoD oLJQ==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=aZUxskCg; arc=pass (i=1); spf=pass (google.com: domain of martin.habovstiak@gmail.com designates 2607:f8b0:4864:20::c33 as permitted sender) smtp.mailfrom=martin.habovstiak@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-oo1-xc33.google.com (mail-oo1-xc33.google.com. [2607:f8b0:4864:20::c33]) by gmr-mx.google.com with ESMTPS id 71dfb90a1353d-56b6c245b03si272118e0c.7.2026.03.16.08.57.38 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 16 Mar 2026 08:57:38 -0700 (PDT) Received-SPF: pass (google.com: domain of martin.habovstiak@gmail.com designates 2607:f8b0:4864:20::c33 as permitted sender) client-ip=2607:f8b0:4864:20::c33; Received: by mail-oo1-xc33.google.com with SMTP id 006d021491bc7-67bb5e4cf7eso2361845eaf.2 for ; Mon, 16 Mar 2026 08:57:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1773676657; cv=none; d=google.com; s=arc-20240605; b=EKfHuELwmQvMDzuB95taEjVwVZf2emYakav5D+HK62UgDTRxTBIE2chmA+P/J4He83 oDbmAU+JirtAIptSE4J7Jif5SVwhr6VvARd8onuST9YzMFW7y49sDdqfXbzQW+VxO5G/ HIXouO961yz9qzX+kF9FbhKnF05VapKkDRnb7oCukoqq92s9XMD1Tb7Y5MvBcPoLKifU gPIvvp6W3qP1OkZocIbBs090BASCBpFi7EIFpCtKJuKsGzQ1qLyWWuDL9hgAZ/FU3Sqr iiPrQ1Fsez6AEqS64FhhtnpEhL3GZeOo7lZGR12CXvcxYlpqvm2PijHE0Y3NvILeIn7M di4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=nYXxm8UpzWSKqA2dYn7FQnolRa7IJD9dzOFCYVuci1Y=; fh=mQ65DjksMfpG9wM24PB36rad6dWAmzL2MpuOdHPZPFg=; b=VAdTOGq5hNC7FOFkyO8FyBkMknlb1jG2CS4mMIMmzEVEYEMKcLIrbbTiyAIAFsleYW 9sD0g9SMLvGk/FlppYi7XUhAOY+qxRr3B5l5IDlg96Rt+rmyPPeQRrfMxICRNQ6lhpYL i0JWB6erM3lkra8l8oUux+zyineLupLn3O99vdw/JWrW/OGoNGQnaXQLXbXsJxx8+2re 1HLYLvdx4ZPpGKxe7mavgpK8BFP49FyT5aF3HJ8znYwSE0gz/IoTJ75tUu/MTD1XNiv4 izCi3lnjmwsNgPAhQL/5KPrnuEdA7F/mj0Xih3oe6YVH/xWY5wWSWHds8IV0URfKtXqX 9bVw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; arc=none X-Gm-Gg: ATEYQzwQngByaMSEPjnS4YNwIx33U8CwzT2hSvX/hesfawoPYkYZgxt+1ozTGz/y7dm 5OPvYoRzGmerou+tKAiZSflGzZ+V5pQdNGsgwv7UPYR2/jFe7pQywMtaWm++0arQ2v01tuVCYUj jxwZD1sOb0uuAKr6icaeNImFBNHAVU2sxusxU0bLXuziNlzvOpI88/v1IBjQJxvZN2rK+T8Pqxp nBfRe0/jdTmtQ84kpNlddb2gGJKF4YUS0K9/419b6YunHP1sc67Cv71HwSBcILf22M+xT4njT3x cahzOkY= X-Received: by 2002:a05:6820:4a13:b0:679:a560:cac7 with SMTP id 006d021491bc7-67bda991fb2mr7238600eaf.7.1773676657344; Mon, 16 Mar 2026 08:57:37 -0700 (PDT) MIME-Version: 1.0 References: <3dcadd5d-702a-4e6c-ad6c-2ddfe68ec73en@googlegroups.com> <9e030d1e-0eab-4463-948e-ef3ec3c43b1bn@googlegroups.com> In-Reply-To: <9e030d1e-0eab-4463-948e-ef3ec3c43b1bn@googlegroups.com> From: =?UTF-8?Q?Martin_Habov=C5=A1tiak?= Date: Mon, 16 Mar 2026 16:57:26 +0100 X-Gm-Features: AaiRm53R0QKjcJixVx66i8uKNkq5Nv7UGaeQz0DPnz7pDSEpaZRvKEwopnOSE8k Message-ID: Subject: Re: [bitcoindev] [BIP proposal] Pay to Schnorr Key Hash (P2SKH) To: sashabeton Cc: Bitcoin Development Mailing List Content-Type: multipart/alternative; boundary="0000000000001b8594064d26474c" X-Original-Sender: martin.habovstiak@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=aZUxskCg; arc=pass (i=1); spf=pass (google.com: domain of martin.habovstiak@gmail.com designates 2607:f8b0:4864:20::c33 as permitted sender) smtp.mailfrom=martin.habovstiak@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) --0000000000001b8594064d26474c Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Takes ton of engineering effort just to undermine the privacy benefits of Taproot we've all been fighting for. Not worth it in my view. If you want to optimize transaction cost, focus on CISA instead. It has much greater potential than to save 12B per key. Just having two inputs in transaction already saves 64B. D=C5=88a po 16. 3. 2026, 16:45 sashabeton nap=C3= =ADsal(a): > On scriptability and OP-code upgradeability: P2SKH is explicitly a > single-key output type, the same as P2TR key-path spending. If you need > Tapscript or OP-code upgradeability, you use P2TR. P2SKH targets the same > use case as P2WPKH today: simple, high-volume payments where you have one > key and no script conditions. In that use case P2TR key-path spending > offers no scriptability either =E2=80=94 this is not a new trade-off, it = is the > same one Taproot already made. > On quantum security: the broader quantum-resistance question is > legitimate, but it applies equally to all of Bitcoin's current output > types. A proper solution requires a post-quantum signature scheme =E2=80= =94 a new > cryptographic assumption. Until such a scheme is designed, reviewed, and > adopted by the network (a multi-year process), there is value in keeping > the 20-byte hashed address format that wallets and users already know, > while gaining Schnorr efficiency. P2SKH offers exactly that bridge, witho= ut > waiting for a problem the entire ecosystem has yet to solve. > On Monday, 16 March 2026 at 12:57:52 UTC+1 Alex wrote: > >> You are saving 12 bytes by removing all the scriptability, OP-code >> upgradeability and basically locking yourself to a non-quantum-secure ke= y >> spend path that is only quantum secure if never spent? Or did I >> missunderstand? >> >> m=C3=A5ndag 16 mars 2026 kl. 12:25:57 UTC+1 skrev Martin Habov=C5=A1tiak= : >> >>> Taproot specifically did not do this for good reasons that are well >>> documented. I recommend you to read documentation first before attempti= ng >>> to make changes. >>> >>> D=C5=88a po 16. 3. 2026, 11:48 sashabeton nap=C3= =ADsal(a): >>> >>>> Hi everyone, >>>> >>>> I'd like to propose a new native SegWit output type: Pay to Schnorr Ke= y >>>> Hash (P2SKH). >>>> >>>> =3D=3D The problem =3D=3D >>>> >>>> The two most relevant output types today each solve half the problem: >>>> - P2WPKH has a compact 22-byte scriptPubKey, but uses ECDSA and puts >>>> the full 33-byte compressed public key in the witness (~108 witness by= tes >>>> per input). >>>> - P2TR uses Schnorr signatures (64-byte witness), but embeds the full >>>> 32-byte x-only public key directly in the scriptPubKey, making outputs= 12 >>>> bytes larger than P2WPKH and exposing the key in every unspent output. >>>> >>>> Neither type achieves both a compact output and a compact witness >>>> simultaneously. >>>> >>>> =3D=3D The proposal =3D=3D >>>> >>>> P2SKH uses OP_2 as the scriptPubKey (22 bytes, same as >>>> P2WPKH). Spending requires a single 64-byte Schnorr signature. Verific= ation >>>> works by key recovery: given the signature (R, s) and the challenge e = =3D >>>> TaggedHash("P2SKH/challenge", R.x || hash160(P.x) || msg), the verifie= r >>>> recovers P =3D e^-1 * (s*G - R) and checks that hash160(P.x) matches t= he >>>> program. The sighash reuses the BIP341 transaction digest, so cross-ve= rsion >>>> replay is prevented by the scriptPubKey commitment. >>>> >>>> The result is the smallest combined footprint of any current single-ke= y >>>> output type =E2=80=94 a 22-byte output with a 64-byte witness =E2=80= =94 while keeping the >>>> public key off-chain until spending. >>>> >>>> =3D=3D Tradeoffs =3D=3D >>>> >>>> The key-recovery step costs roughly one extra field inversion and >>>> scalar multiplication compared to direct Schnorr verification. This is= the >>>> price of the 12-byte output size reduction. >>>> >>>> =3D=3D Open questions =3D=3D >>>> >>>> 1. BIP360 also claims witness version 2. If both proposals advance, on= e >>>> needs to move. Version 3 seems like a natural alternative for P2SKH. >>>> 2. Naming =E2=80=94 "P2SKH" follows the established pattern but "P2TRK= H" has >>>> been suggested to emphasise Schnorr/taproot lineage. Opinions welcome. >>>> >>>> Full draft: >>>> https://github.com/sashabeton/bips/blob/3cb9e07984b571e9510370ab7e7218= 620be580dc/p2skh.md >>>> PoC implementation: https://github.com/bitcoin/bitcoin/pull/34826 >>>> >>>> Thanks in advance for any feedback. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Bitcoin Development Mailing List" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to bitcoindev+...@googlegroups.com. >>>> To view this discussion visit >>>> https://groups.google.com/d/msgid/bitcoindev/3dcadd5d-702a-4e6c-ad6c-2= ddfe68ec73en%40googlegroups.com >>>> >>>> . >>>> >>> -- > You received this message because you are subscribed to the Google Groups > "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion visit > https://groups.google.com/d/msgid/bitcoindev/9e030d1e-0eab-4463-948e-ef3e= c3c43b1bn%40googlegroups.com > > . > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= CALkkCJZ0UgVGZ%3Du_Uq24E5L80KyEoysRS7ExphyajFe3oURcyw%40mail.gmail.com. --0000000000001b8594064d26474c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Takes ton of engineering effort just to undermine the pri= vacy benefits of Taproot we've all been fighting for. Not worth it in m= y view.

If you want to optimiz= e transaction cost, focus on CISA instead. It has much greater potential th= an to save 12B per key. Just having two inputs in transaction already saves= 64B.

D=C5=88a po 16. 3. 2026, 16:45 sashabeton = <sashabeton2007@gmail.com> nap=C3=ADsal(a):
On scriptability and OP-code upgradeability: P2SKH is explicitly a sin= gle-key output type, the same as P2TR key-path spending. If you need Tapscr= ipt=C2=A0or OP-code upgradeability, you use P2TR. P2SKH targets the same us= e case as P2WPKH today: simple, high-volume payments where you have one key= and no script conditions. In that use case P2TR key-path spending offers n= o scriptability either =E2=80=94 this is not a new trade-off, it is the sam= e one Taproot already made.
On quantum = security: the broader quantum-resistance question is legitimate, but it app= lies equally to all of Bitcoin's current output types. A proper solutio= n requires a post-quantum signature scheme =E2=80=94 a new cryptographic as= sumption. Until such a scheme is designed, reviewed, and adopted by the net= work (a multi-year process), there is value in keeping the 20-byte hashed a= ddress format that wallets and users already know, while gaining Schnorr ef= ficiency. P2SKH offers exactly that bridge, without waiting for a problem t= he entire ecosystem has yet to solve.
On Monday, 16 March 2026 at 12:57:52 UTC= +1 Alex wrote:
You are= saving 12 bytes by removing all the scriptability, OP-code upgradeability = and basically locking yourself to a non-quantum-secure key spend path that = is only quantum secure if never spent? Or did I missunderstand?

m=C3=A5ndag 1= 6 mars 2026 kl. 12:25:57 UTC+1 skrev Martin Habov=C5=A1tiak:
Taproot specifical= ly did not do this for good reasons that are well documented. I recommend y= ou to read documentation first before attempting to make changes.

=
D=C5=88a p= o 16. 3. 2026, 11:48 sashabeton <sashabe.= ..@gmail.com> nap=C3=ADsal(a):
Hi everyone,

I'd like to propose a new native SegWit output= type: Pay to Schnorr Key Hash (P2SKH).

=3D=3D The problem =3D=3D
The two most relevant output types today each solve half the problem:<= br>- P2WPKH has a compact 22-byte scriptPubKey, but uses ECDSA and puts the= full 33-byte compressed public key in the witness (~108 witness bytes per = input).
- P2TR uses Schnorr signatures (64-byte witness), but embeds the= full 32-byte x-only public key directly in the scriptPubKey, making output= s 12 bytes larger than P2WPKH and exposing the key in every unspent output.=

Neither type achieves both a compact output and a compact witness s= imultaneously.

=3D=3D The proposal =3D=3D

P2SKH uses OP_2 <= ;hash160(P.x)> as the scriptPubKey (22 bytes, same as P2WPKH). Spending = requires a single 64-byte Schnorr signature. Verification works by key reco= very: given the signature (R, s) and the challenge e =3D TaggedHash("P= 2SKH/challenge", R.x || hash160(P.x) || msg), the verifier recovers P = =3D e^-1 * (s*G - R) and checks that hash160(P.x) matches the program. The = sighash reuses the BIP341 transaction digest, so cross-version replay is pr= evented by the scriptPubKey commitment.

The result is the smallest c= ombined footprint of any current single-key output type =E2=80=94 a 22-byte= output with a 64-byte witness =E2=80=94 while keeping the public key off-c= hain until spending.

=3D=3D Tradeoffs =3D=3D

The key-recovery= step costs roughly one extra field inversion and scalar multiplication com= pared to direct Schnorr verification. This is the price of the 12-byte outp= ut size reduction.

=3D=3D Open questions =3D=3D

1. BIP360 als= o claims witness version 2. If both proposals advance, one needs to move. V= ersion 3 seems like a natural alternative for P2SKH.
2. Naming =E2=80=94= "P2SKH" follows the established pattern but "P2TRKH" h= as been suggested to emphasise Schnorr/taproot lineage. Opinions welcome.
Full draft: https://github.com/sashabeton/bips/blob/3cb9e079= 84b571e9510370ab7e7218620be580dc/p2skh.md
PoC implementation: https://github.com/bitcoin/bitcoin/pull/3= 4826

Thanks in advance for any feedback.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+...@googlegrou= ps.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/3dcadd5d-70= 2a-4e6c-ad6c-2ddfe68ec73en%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com.=
To view this discussion visit h= ttps://groups.google.com/d/msgid/bitcoindev/9e030d1e-0eab-4463-948e-ef3ec3c= 43b1bn%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/= msgid/bitcoindev/CALkkCJZ0UgVGZ%3Du_Uq24E5L80KyEoysRS7ExphyajFe3oURcyw%40ma= il.gmail.com.
--0000000000001b8594064d26474c--