Documentation

Transaction Structure

Overview

P2TR transactions can be spent using either the key path or the script path, each with different witness structures.

Key Path Spend

Key path spending is the simplest and most efficient way to spend a P2TR output. It requires only a single Schnorr signature created with the tweaked private key.

The following diagram shows the key path spend structure:
P2TR Key Path Spend OP_1 0x51 (v1) OP_PUSHBYTES_32 0x20 Tweaked Output Key (Q) 32 bytes (x-only pubkey) | witness Schnorr Signature 64 bytes (or 65 with non-default sighash)

Script Path Spend

Script path spending allows funds to be spent by satisfying a script committed in the Merkle tree. This method is used when key path spending is not possible or when alternative spending conditions must be exercised, such as timelocks, recovery paths, or fallback multisig arrangements. A script path spend requires the witness to include the script inputs, the script itself, and a control block containing the internal public key and Merkle proof.

The following diagram shows the script path spend structure:
P2TR Script Path Spend OP_1 0x51 (v1) OP_PUSHBYTES_32 0x20 Tweaked Key (Q) 32 bytes | witness Script Inputs variable Script variable Control Block 33+ bytes (leaf version + internal key + proof)

Output (Locking Script - ScriptPubKey)

The ScriptPubKey for P2TR consists of the witness version and the 32-byte tweaked public key.

The following code shows a typical P2TR ScriptPubKey script:
plaintext
OP_1                                                                # Indicates witness version 1.
OP_PUSHBYTES_32                                                     # Pushes the next 32 bytes onto the stack.
a5b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8091a2b3c4d5e6f7a8b9c0d1e2f3a4   # Tweaked public key.

# Hex value: 5120a5b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8091a2b3c4d5e6f7a8b9c0d1e2f3a4
Remember!

The ScriptPubKey for P2TR is identical regardless of whether the address will be spent via key path or script path. The differentiation occurs at spend time by examining the witness data.

Input (Unlocking Script - ScriptSig)

For native P2TR, the ScriptSig is empty.

All signature and script data is stored in the witness field.

Witness Data

For detailed information about witness data structure, refer to the P2TR MAST - Merklized Alternative Script Trees.

Key Path Spend

For a key path spend, the witness contains only the Schnorr signature.

Script Path Spend

For a script path spend, the witness contains the script inputs, the script itself, and the control block.

Script Execution

For detailed information about script verification and spending path, refer to the P2TR MAST - Merklized Alternative Script Trees.

Key Path

The following diagram shows the execution stack for a key path spend:
P2TR Key Path Verification Witness Input Schnorr Verify sig against Q + sighash Result Final <signature> 64 bytes top <signature> 64 bytes <Q> from scriptPubKey <sighash> from tx context top 1 top

When validating a P2TR key path spend, the following steps are executed:

  1. Witness Version Detection
    The node recognizes witness version 1 with a 32 bytes program in the ScriptPubKey, triggering P2TR validation rules.
  2. Check Witness Structure
    For key path, the witness contains exactly one item (the signature).
  3. Push Signature
    The 64 bytes Schnorr signature is pushed from the witness data.
  4. Push Tweaked Public Key
    The 32 bytes tweaked public key from the ScriptPubKey is pushed onto the stack.
  5. Verify Schnorr Signature
    The signature is verified against the tweaked public key and transaction data using BIP340 Schnorr verification.
  6. Result
    If verification succeeds, the transaction is valid and the funds are unlocked.

Script Path

The following diagram shows the execution stack for a script path spend:
P2TR Script Path Verification Phase 1: Verify Script Commitment Phase 2: Execute Script Witness Input Compute Merkle Root Verify Q' = Q Execute Script Result Final <script inputs> e.g. signature <script> raw bytes <control block> P + merkle path top TapLeaf(script) computed <siblings> from control block <merkle root> computed top <P> from control block Q' = P + t·G computed Q' == Q script is valid top <script inputs> on stack <script> executing... top 1 top

When validating a P2TR script path spend, additional steps are required:

  1. Witness Version Detection
    The node recognizes witness version 1 with a 32 bytes program, triggering P2TR validation rules.
  2. Check Witness Structure
    For script path, the witness contains more than one item. The last item is the control block, the second-to-last is the script.
  3. Parse Control Block
    Extract the leaf version, parity bit, internal public key, and Merkle proof from the control block.
  4. Compute Script Leaf Hash
    Hash the script with the leaf version using tagged hashing.
  5. Verify Merkle Proof
    Compute the Merkle root from the script leaf hash and the proof, then verify the tweaked public key matches.
  6. Execute Script
    Run the revealed script with the remaining witness items as inputs.
  7. Result
    If script execution succeeds with a true result, the transaction is valid.
On this page