Documentation

Introduction (Experimental)

Overview

Bitcoin makes arbitrary authenticated data inclusion expensive unless you exploit the SegWit witness discount, where every witness byte weighs 1 unit instead of 4. P2WDA is a spend template that deliberately carries authenticated application data in witness stack items and then drops them before a standard signature check. This preserves standard Bitcoin validation while letting applications verify the attached data out-of-band.

In this implementation, the witness stack reserves 10 data slots per P2WDA input, each ≤ 80 bytes to respect default relay policy. The data (after compression) is prefixed by a BIP340 Schnorr signature over >(tx_signature || uncompressed_data), then split across those slots. Applications reassemble and verify the signed data, making any miner tampering detectable. On-chain validation remains standard and cheap thanks to the witness discount.

Problem Space

The Traditional Dilemma

OP_RETURN is simple but tiny: 80 bytes max per output under standard policy. Anything larger forces many outputs and multiple transactions, compounding base (non-witness) bytes that weigh 4× witness bytes. For realistic payloads (airdrops, rich metadata), this is cost-prohibitive.

Importantly, even if OP_RETURN size limits were completely removed, it would not solve the fundamental economic problem. OP_RETURN data is stored in the transaction's output section, which means every byte counts as non-witness data and incurs the full 4× weight penalty. A hypothetical uncapped OP_RETURN storing 800 bytes would cost 3,200 weight units, while P2WDA achieves the same data storage for only 800 weight units in the witness section. The economic disadvantage of OP_RETURN is architectural, not merely a policy limitation.

Commit-reveal styles fix integrity but double touches the chain (commit tx, reveal tx) and fragment UX.

The Witness Discount Opportunity

SegWit introduced weight: non-witness bytes weigh 4 units each; witness bytes weigh 1. Fees are proportional to weight (vbytes ≈ weight/4). Packing authenticated data into witness can be ˜75% cheaper than encoding the same data in base tx bytes.

Security Considerations

The security model separates on-chain authorization from off-chain data authentication:

  • On-chain authorization: The transaction signature proves spend authorization exactly like any P2WSH single-sig spend.
  • Off-chain authorship: The Schnorr signature authenticates the data and binds it to this spend via the transaction signature.
  • Malleability handling: SegWit allows witness data modification without changing the txid. The Schnorr signature ensures any tampering is detectable.

Practical outcomes:

  • Funds cannot be redirected (protected by transaction signature).
  • Data forgery is detectable at the application layer (Schnorr signature fails).
  • Miners could theoretically replace data with garbage, but applications will reject it.
On this page