Documentation
Introduction to P2WSH (Pay-To-Witness-Script-Hash)
Overview
P2WSH (Pay-to-Witness-Script-Hash) is a native Segregated Witness address format introduced in BIP141 that combines the flexibility of P2SH with the benefits of SegWit. These addresses begin with bc1q on mainnet (similar to P2WPKH but longer) and enable complex spending conditions with reduced fees, increased script size limits, and transaction malleability protection.
How It Works
P2WSH addresses are derived from a witness script through the following process:
- Create a witness script defining the spending conditions (e.g., multisig, timelock, or custom logic).
- Apply SHA-256 hashing to the witness script, producing a 256-bit hash (32 bytes).
- Create a witness program by combining witness version 0 with the 32-byte script hash.
- Encode the witness program using Bech32 encoding with the appropriate human-readable prefix.
P2WSH vs P2SH
Unlike P2SH which uses HASH160 (SHA-256 + RIPEMD-160) to produce a 20-byte hash, P2WSH uses only SHA-256 to produce a 32-byte hash. This provides stronger collision resistance (256-bit vs 160-bit) and allows for more secure complex scripts.
| Feature | P2SH | P2WSH |
|---|---|---|
| Hash Algorithm | HASH160 (SHA-256 + RIPEMD-160) | SHA-256 only |
| Hash Size | 20 bytes (160-bit) | 32 bytes (256-bit) |
| Script Size Limit | 520 bytes | 10,000 bytes |
| Encoding | Base58Check | Bech32 |
| Address Prefix (Mainnet) | 3 | bc1q |
| Script/Signature Location | ScriptSig | Witness data |
| SegWit Fee Discount | No | Yes (witness data at 1/4 weight) |
| Malleability Protection | No | Yes |
Witness Scripts
The witness script defines the actual spending conditions, similar to a P2SH redeem script.
Common witness script types include:
Multisig (M-of-N)
Requires M signatures from N possible public keys.
OP_2
<pubkey1>
<pubkey2>
<pubkey3>
OP_3
OP_CHECKMULTISIGTimelock
Funds can only be spent after a specific time or block height.
<expiry_time>
OP_CHECKLOCKTIMEVERIFY
OP_DROP
<pubkey>
OP_CHECKSIGComplex Conditional Scripts
P2WSH's larger script limit enables more sophisticated conditions.
OP_IF
OP_2
<pubkey1>
<pubkey2>
<pubkey3>
OP_3
OP_CHECKMULTISIG
OP_ELSE
<timeout>
OP_CHECKSEQUENCEVERIFY
OP_DROP
<recovery_pubkey>
OP_CHECKSIG
OP_ENDIFSecurity Considerations
P2WSH provides enhanced security compared to P2SH through its use of a full 256-bit SHA-256 hash. This offers significantly stronger collision resistance—finding two different scripts that produce the same hash is computationally infeasible.
The spending conditions remain hidden until the funds are spent, similar to P2SH. However, once spent, the full witness script is revealed on the blockchain. For maximum privacy, consider using Taproot (P2TR) which can hide unused script branches permanently.
P2WSH inherits SegWit's transaction malleability fix. Since signatures are stored in the witness data (which is not included in the transaction ID calculation), third parties cannot modify transaction IDs. This is crucial for protocols that depend on unconfirmed transaction chains.
The increased script size limit (10,000 bytes vs 520 bytes for P2SH) enables more complex spending conditions but also requires careful script design to avoid excessive transaction fees.
Address Format
P2WSH addresses use Bech32 encoding with a 32-byte witness program:
- Mainnet — Addresses start with bc1q .
- Testnet — Addresses start with tb1q.
- Regtest — Addresses start with bcrt1q.