Documentation

Introduction to P2TR (Pay-to-Taproot)

Overview

P2TR (Pay-to-Taproot) is the newest Bitcoin address format, introduced in BIP341 as part of the Taproot upgrade. These addresses begin with bc1p on mainnet and represent a significant advancement in Bitcoin's scripting capabilities. P2TR combines Schnorr signatures with Merklized Alternative Script Trees (MAST) to enable more efficient, private, and flexible transactions.

How It Works

P2TR addresses are based on a tweaked public key, which can represent either a single key or a commitment to a tree of scripts. The derivation process involves:

  1. Generate a public key from the private key using elliptic curve multiplication.
  2. Optionally, create a Merkle tree of alternative spending scripts (MAST).
  3. Compute a tweak value from the public key and the Merkle root (if scripts exist) or a tagged hash of the public key alone.
  4. Apply the tweak to the public key to produce the tweaked public key.
  5. Encode the witness version (1) and the tweaked public key using Bech32m encoding.

The tweaked public key serves dual purposes: it can be spent directly using a Schnorr signature (key path) or by revealing a script from the Merkle tree (script path). This flexibility enables complex spending conditions while maintaining privacy when simpler key-path spending is used.

P2TR Address Anatomy (Taproot, Bech32m) Taproot Output Key Generation Internal Key (P) 32 bytes x-only + Script Tree Root (m) 32 bytes (optional) t = TaggedHash("TapTweak", P || m) Compute tweak scalar Q = P + t·G Output Key (32 bytes, x-coord of Q) Bech32m Encoding HRP "bc" + Version 0x01 (v1) + Output Key 32 bytes Convert to Base32 (5-bit groups) Bech32m Checksum BCH code with constant 0x2bc830a3 Bech32m Encode (6 char checksum) bc HRP 1 p v1 Output Key (Base32) 52 chars Checksum 6 chars 62 characters total (starts with bc1p) P2TR Address (SegWit v1) bc1p5cyxnuxmeuwuvkwfem96lqzszd02n6xdcjrs20cac6yqjjwudpxqkedrcr

Schnorr Signatures

P2TR uses Schnorr signatures instead of ECDSA, providing several benefits:

  • Linearity: Schnorr signatures can be aggregated, enabling multiple signatures to be combined into a single signature.
  • Smaller Size: Schnorr signatures are 64 bytes compared to 71-72 bytes for DER-encoded ECDSA signatures.
  • Provable Security: Schnorr signatures have a formal security proof under the random oracle model.
  • Non-Malleability: Schnorr signatures cannot be modified without invalidating them.

Merklized Alternative Script Trees (MAST)

MAST enables multiple spending conditions to be committed to a single address without revealing unused conditions:

  • Privacy: Only the executed script path is revealed; alternative paths remain hidden.
  • Efficiency: Complex contracts with many conditions only reveal the relevant branch when spending.
  • Flexibility: Supports sophisticated spending conditions like timelocks, multisig variations, and fallback paths.

Each leaf in the Merkle tree represents a different spending condition. When spending via a script path, only the executed script and its Merkle proof are revealed.

Security Considerations

P2TR provides enhanced privacy compared to previous address types. Key-path spends are indistinguishable from single-signature transactions, regardless of whether the address represents a single key, multisig, or complex script. This uniformity makes blockchain analysis more difficult.

The tweaked public key approach ensures that even if the internal public key is known, the tweak prevents spending without knowledge of either the private key or a valid script path.

As with other address types, the public key (in this case, the tweaked public key) is only revealed when spending.

Address Format

P2TR addresses use Bech32m encoding, an updated version of Bech32 introduced in BIP350 to address a weakness in the original encoding for witness versions 1 and higher:

  • Improved Error Detection: Bech32m corrects a mutation weakness in the original Bech32 for longer data.
  • Witness Version 1: The p following bc1 indicates witness version 1, distinguishing it from version 0 (P2WPKH/P2WSH).
  • 32-Byte Program: The witness program is the 32-byte tweaked public key.

P2TR addresses are identifiable by their prefix:

  • Mainnet: Addresses start with bc1p.
  • Testnet: Addresses start with tb1p.
  • Regtest: Addresses start with bcrt1p.
On this page