From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 16 Mar 2026 04:57:59 -0700 Received: from mail-oi1-f190.google.com ([209.85.167.190]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1w26a7-0006Zi-4S for bitcoindev@gnusha.org; Mon, 16 Mar 2026 04:57:59 -0700 Received: by mail-oi1-f190.google.com with SMTP id 5614622812f47-4670643ebf8sf45663990b6e.0 for ; Mon, 16 Mar 2026 04:57:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1773662272; x=1774267072; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=GAoXi7/IJ9aWML6vpO/ngsNUyiCV86GdBG5w9K8UNMs=; b=eL6f99mlQ1JvKLDvSwp+pFFq2gWeHafeRxXMTcwco1BMmvZelyrzyXBW9ny6o7ALAN 35Xtm+r8NjokZ2EdrdgrslLv5QCbyaLZTklKwWY9lkZxeMVGyjefgZ2OidJJQQ4LtlpH vsoht4yrTXwoWA7SeKU1rzIBRp1EfXYm8TVMFBh/EKcI8/oKpnHzy7zjPyQfGyASg4Fg F6dO7MSdSHbXLuk4zAom0GrNzEXV+G5dpUmXqTZoFPaynriue9NXGE83PGWJk6G1hVKc bGtyRrUvjFJxB2BuQsreA7pDtfPbkJ9xabwvcAqR8+OitiO1OTIELgLNLb2Z3PcMmMyC Db2g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773662272; x=1774267072; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=GAoXi7/IJ9aWML6vpO/ngsNUyiCV86GdBG5w9K8UNMs=; b=kNp13TM4euo65gRlJWSnw6O6n0pJ/QGlJuubFDNZ0D4lR5xOFSbeIIf00tf1XhsV2m anE04zva4WfqZe1ND2TVNRFSyYqlI5wJMD7WgzT3JmmbMrEOI8Hr8ZJGZB01/NBwkF4J 3artiVZi/HI6lVMDzKjtwl/YqeSjH4tte6v34UIbO4/c+cW0tdlLJXCkrbHzesVQzkJg qMQjmydpH1Uoe1U7CcsnmPKQaSIoqBv1ZPWmLOaf1HL4pCjH5/DEKzrACjrHJrDEXW1Y i+GPZDIK3TBLT4T50fKB0YIU3gYaU3VdVzbYpXo5Q6N5UOkEFdysXCuTEc+o6pXq85hH iK4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773662272; x=1774267072; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=GAoXi7/IJ9aWML6vpO/ngsNUyiCV86GdBG5w9K8UNMs=; b=e1zOOU2gBnqb29ZoB3nNUVmjwjPt/05d6Bb56NSavU+WZY+IJVrSwtZxCNJlNG+qtz liehDngHMUCSOv20uh+h7NupgWuS/uyRZnY+dpbsC3iiU2U5kFgNqepI/p4QKCtCIt8t FFZoxrkFiPksC08YWUa9YDD8DfF3UMD7GMDvEyNa9yX5AOsULjXPrgCe4ZXaprVmld4w GGIVDm5KZ4kJ4brSPXFOn7NKRP4EL0oiT6oezoJs5Mw41tj3vPQooEcgct8KIgfJPHL7 1I0qgI6uyQsOlG1+LcHiTWsCGESl6jn9RGlTKiflAW5InJmoCBjnXuFu1l6e6+ujVlLK 6Q0g== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCXzL6/JUrobV2DIgY5Bfu/HoitJEc7I/DPwdLo7Y5Pky7Kk570/VPj9SlvcqjTZ+xt0RGcwqyOSzOHJ@gnusha.org X-Gm-Message-State: AOJu0YyaNyVDb4Oce3HPPEWgBrQshRInzWLiY1kdg8gmbHiHRqsobOEc Kd/O+xwNoqNekv13kp2Xb2i38J5mncgrgpYrVHOGR5HdZwlG2nmWxzGS X-Received: by 2002:a05:6808:1506:b0:467:153a:2d9c with SMTP id 5614622812f47-4674310c224mr9554515b6e.15.1773662272454; Mon, 16 Mar 2026 04:57:52 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h="AV1CL+FIn4R9v8JKfumxpkLhe/gC/TScQWDkIn+Udha4aZMysA==" Received: by 2002:a05:687c:4e:10b0:416:1b5c:16df with SMTP id 586e51a60fabf-417b56bbb4fls1603261fac.2.-pod-prod-08-us; Mon, 16 Mar 2026 04:57:48 -0700 (PDT) X-Received: by 2002:a05:6808:a59a:20b0:467:91:fb32 with SMTP id 5614622812f47-467575390acmr5180595b6e.39.1773662268196; Mon, 16 Mar 2026 04:57:48 -0700 (PDT) Received: by 2002:a05:690c:e585:b0:79a:4274:53d4 with SMTP id 00721157ae682-79a42747e04ms7b3; Mon, 16 Mar 2026 04:43:28 -0700 (PDT) X-Received: by 2002:a05:690c:e3ee:b0:794:d4c3:3152 with SMTP id 00721157ae682-79a1c184611mr130339217b3.31.1773661407772; Mon, 16 Mar 2026 04:43:27 -0700 (PDT) Date: Mon, 16 Mar 2026 04:43:27 -0700 (PDT) From: Alex To: Bitcoin Development Mailing List Message-Id: In-Reply-To: References: <3dcadd5d-702a-4e6c-ad6c-2ddfe68ec73en@googlegroups.com> Subject: Re: [bitcoindev] [BIP proposal] Pay to Schnorr Key Hash (P2SKH) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_498776_630029509.1773661407323" X-Original-Sender: alexhultman@gmail.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) ------=_Part_498776_630029509.1773661407323 Content-Type: multipart/alternative; boundary="----=_Part_498777_403383624.1773661407323" ------=_Part_498777_403383624.1773661407323 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable You are saving 12 bytes by removing all the scriptability, OP-code=20 upgradeability and basically locking yourself to a non-quantum-secure key= =20 spend path that is only quantum secure if never spent? Or did I=20 missunderstand? m=C3=A5ndag 16 mars 2026 kl. 12:25:57 UTC+1 skrev Martin Habov=C5=A1tiak: > Taproot specifically did not do this for good reasons that are well=20 > documented. I recommend you to read documentation first before attempting= =20 > to make changes. > > D=C5=88a po 16. 3. 2026, 11:48 sashabeton nap=C3= =ADsal(a): > >> Hi everyone, >> >> I'd like to propose a new native SegWit output type: Pay to Schnorr Key= =20 >> Hash (P2SKH). >> >> =3D=3D The problem =3D=3D >> >> The two most relevant output types today each solve half the problem: >> - P2WPKH has a compact 22-byte scriptPubKey, but uses ECDSA and puts the= =20 >> full 33-byte compressed public key in the witness (~108 witness bytes pe= r=20 >> input). >> - P2TR uses Schnorr signatures (64-byte witness), but embeds the full=20 >> 32-byte x-only public key directly in the scriptPubKey, making outputs 1= 2=20 >> bytes larger than P2WPKH and exposing the key in every unspent output. >> >> Neither type achieves both a compact output and a compact witness=20 >> simultaneously. >> >> =3D=3D The proposal =3D=3D >> >> P2SKH uses OP_2 as the scriptPubKey (22 bytes, same as=20 >> P2WPKH). Spending requires a single 64-byte Schnorr signature. Verificat= ion=20 >> works by key recovery: given the signature (R, s) and the challenge e = =3D=20 >> TaggedHash("P2SKH/challenge", R.x || hash160(P.x) || msg), the verifier= =20 >> recovers P =3D e^-1 * (s*G - R) and checks that hash160(P.x) matches the= =20 >> program. The sighash reuses the BIP341 transaction digest, so cross-vers= ion=20 >> replay is prevented by the scriptPubKey commitment. >> >> The result is the smallest combined footprint of any current single-key= =20 >> output type =E2=80=94 a 22-byte output with a 64-byte witness =E2=80=94 = while keeping the=20 >> public key off-chain until spending. >> >> =3D=3D Tradeoffs =3D=3D >> >> The key-recovery step costs roughly one extra field inversion and scalar= =20 >> multiplication compared to direct Schnorr verification. This is the pric= e=20 >> of the 12-byte output size reduction. >> >> =3D=3D Open questions =3D=3D >> >> 1. BIP360 also claims witness version 2. If both proposals advance, one= =20 >> needs to move. Version 3 seems like a natural alternative for P2SKH. >> 2. Naming =E2=80=94 "P2SKH" follows the established pattern but "P2TRKH"= has been=20 >> suggested to emphasise Schnorr/taproot lineage. Opinions welcome. >> >> Full draft:=20 >> https://github.com/sashabeton/bips/blob/3cb9e07984b571e9510370ab7e721862= 0be580dc/p2skh.md >> PoC implementation: https://github.com/bitcoin/bitcoin/pull/34826 >> >> Thanks in advance for any feedback. >> >> --=20 >> You received this message because you are subscribed to the Google Group= s=20 >> "Bitcoin Development Mailing List" group. >> To unsubscribe from this group and stop receiving emails from it, send a= n=20 >> email to bitcoindev+...@googlegroups.com. >> To view this discussion visit=20 >> https://groups.google.com/d/msgid/bitcoindev/3dcadd5d-702a-4e6c-ad6c-2dd= fe68ec73en%40googlegroups.com=20 >> >> . >> > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= cc649b36-0ee1-4a87-b135-f5ad5a38b232n%40googlegroups.com. ------=_Part_498777_403383624.1773661407323 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable You are saving 12 bytes by removing all the scriptability, OP-code upgradea= bility and basically locking yourself to a non-quantum-secure key spend pat= h that is only quantum secure if never spent? Or did I missunderstand?

m= =C3=A5ndag 16 mars 2026 kl. 12:25:57 UTC+1 skrev Martin Habov=C5=A1tiak:
Taproot specifically did not do this for good reasons that are well docu= mented. I recommend you to read documentation first before attempting to ma= ke changes.

D=C5=88a po 16. 3. 2026, 11:48 sashabeton <sashabe...@gmail.com> nap=C3=ADsal(a):
<= /div>
Hi everyone,

I'd like to p= ropose a new native SegWit output type: Pay to Schnorr Key Hash (P2SKH).
=3D=3D The problem =3D=3D

The two most relevant output types to= day each solve half the problem:
- P2WPKH has a compact 22-byte scriptPu= bKey, but uses ECDSA and puts the full 33-byte compressed public key in the= witness (~108 witness bytes per input).
- P2TR uses Schnorr signatures = (64-byte witness), but embeds the full 32-byte x-only public key directly i= n the scriptPubKey, making outputs 12 bytes larger than P2WPKH and exposing= the key in every unspent output.

Neither type achieves both a compa= ct output and a compact witness simultaneously.

=3D=3D The proposal = =3D=3D

P2SKH uses OP_2 <hash160(P.x)> as the scriptPubKey (22 = bytes, same as P2WPKH). Spending requires a single 64-byte Schnorr signatur= e. Verification works by key recovery: given the signature (R, s) and the c= hallenge e =3D TaggedHash("P2SKH/challenge", R.x || hash160(P.x) = || msg), the verifier recovers P =3D e^-1 * (s*G - R) and checks that hash1= 60(P.x) matches the program. The sighash reuses the BIP341 transaction dige= st, so cross-version replay is prevented by the scriptPubKey commitment.
The result is the smallest combined footprint of any current single-ke= y output type =E2=80=94 a 22-byte output with a 64-byte witness =E2=80=94 w= hile keeping the public key off-chain until spending.

=3D=3D Tradeof= fs =3D=3D

The key-recovery step costs roughly one extra field invers= ion and scalar multiplication compared to direct Schnorr verification. This= is the price of the 12-byte output size reduction.

=3D=3D Open ques= tions =3D=3D

1. BIP360 also claims witness version 2. If both propos= als advance, one needs to move. Version 3 seems like a natural alternative = for P2SKH.
2. Naming =E2=80=94 "P2SKH" follows the established= pattern but "P2TRKH" has been suggested to emphasise Schnorr/tap= root lineage. Opinions welcome.

Full draft: https://= github.com/sashabeton/bips/blob/3cb9e07984b571e9510370ab7e7218620be580dc/p2= skh.md
PoC implementation: https://github.com/bitcoin/bitcoin/pul= l/34826

Thanks in advance for any feedback.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+..= .@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/3dcadd5d-702a-4e6c-ad6c-= 2ddfe68ec73en%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoind= ev/cc649b36-0ee1-4a87-b135-f5ad5a38b232n%40googlegroups.com.
------=_Part_498777_403383624.1773661407323-- ------=_Part_498776_630029509.1773661407323--