P2SH (Pay To Script Hash) Explained
Last Updated: 1st November 2018
A Bitcoin address is a string of alphanumerical characters that a user can distribute to anyone who wishes to send them money. Bitcoin addresses can come in different formats, with common ones being: Pay-to-PubKeyHash (P2PKH) and Pay-to-ScriptHash (P2SH). Although anyone can send bitcoins to any given Bitcoin address, those funds can only be spent if they fulfill certain requirements laid out by Bitcoin’s scripting system. A script is effectively a list of recorded instructions that accompany each executed transaction; the script governs how the next person wanting to spend the sent bitcoins can gain access to them. Scripts accompanying outputs in transactions are called PubKey Scripts (they are also known as locking scripts), which are known in code as scriptPubKey. Recipients of the sent bitcoins will then generate a signature script (also known as an unlocking script), which is a collection of data parameters that are generated by the spender which is used to satisfy a PubKey Script. Signature scripts are called scriptSig in code.
For example, when Alice decides to initiate a transaction with Bob, the output contains an amount of bitcoins that is spendable on condition that the instructions laid out by the attached PubKey Script are satisfied. Once this transaction is broadcasted and added to the blockchain, the network will categorize the transaction as an Unspent Transaction Output (UTXO), and Bob’s wallet software will recognize it as being a spendable balance. When Bob decides to spend this UTXO he will create an input that includes a signature script that must satisfy the conditions that Alice placed in the previous output’s PubKey Script.
Traditional Bitcoin addresses (the P2PKH address format) begin with the number 1 and can resemble the following:
In a P2PKH output, instructions contained within the PubKey Script include:
- A public key hash
- A private key signature, in order to prove ownership of the private key that corresponds to the public key hash just provided
An owner of a P2PKH address can only unlock the PubKey Script, and spend sent funds, by providing a public key hash and a private key signature.
P2SH bitcoin address formats begin with the number 3, and can resemble the following:
P2SH was introduced in Bitcoin Improvement Proposal 16 (BIP 16) by Gavin Andresen, and it resulted in a new ‘standard’ transaction type for the Bitcoin scripting system. The purpose of P2SH, according to Andresen: ‘Is to move the responsibility for supplying the conditions to redeem a transaction from the sender of the funds to the redeemer’.
With P2SH transactions, the locking script is replaced with a redeem script hash. This hash derives from a redeem script, which functions similarly to the PubKey Script in that it too also contains conditions that must be satisfied before the output can be spent. When a transaction attempting to spend the UTXO is later initiated, the input must contain the PubKey Script (that contains the redeem script hash) and the unlocking script. In P2SH transactions, the script that houses the conditions for spending the output, which is the redeem script, is not presented in the locking script. Instead, only the hash (the redeem script hash) is included in the locking script, the redeem script itself is presented as part of the unlocking script when the output is spent. This has the effect of, as Andresen noted in BIP 16, of moving the responsibility for supplying the conditions to redeem a transaction from the sender of the funds to the redeemer.
In the example above, Bob generates a redeem script, hashes the redeem script to produce the redeem script hash, and provides the hash to Alice. Alice can now then create a P2SH-style output containing Bob’s redeem script hash.
The P2SH transaction type produces a number of advantages, such as:
- The sender can fund any arbitrary redeem script without knowing what the spending conditions attached to the script are. This is an appropriate result, because the sender of the transaction does not care how sent funds will be spent in the future. This is an issue for the recipient, who does care about conditions for further spending.
- Reduced transaction fee for the sender of the funds. Transaction fees are directly proportional to the size of a transaction, and a cryptographic hash of a fixed length allows the sender to send funds to any arbitrary redeem script without worrying about paying higher fees. It is the recipient’s responsibility to determine how large their spending transaction will be and how much it will cost, as they have to include the redeem script in order to spend funds. In other words, the burden of constructing the script and bearing the transaction fee of a long script is shifted to the recipient.
A common implementation of the P2SH function is the multi-signature address script. This script requires that a transaction possess more than one digital signature in order to prove ownership, and by extension spend funds.