List of script types
You are most likely aware of the different address prefixes bitcoin can take on, ones beginning with "1", "3", and "bc1", but did you know under each of these are different scripts responsible for locking and unlocking outputs in those addresses? In this topic I hope to help you understand the four different script types, P2PKH, P2SH, P2WSH and P2WPKH and which ones are used for each address.
Scriptsig, Scriptpub, and redeem scriptsCredits to pooya87 for some of the information here.
But before I cover the script types I want to explain how scripts move around bitcoins. For each transaction, there is a script that unlocks the outputs of previous transactions which we call the signature script or
scriptsig, and there is also another script that locks the inputs of the current transaction, called public script or
scriptpub. So again, scriptsigs unlock outputs, and scriptpubs lock inputs. Some types of scriptpubs have the hash of a redeem script inside them and that redeem script is responsible for locking the coins in the inputs, hence the name
redeem script (this script locks inputs, for which a signature is required to redeem them). Inside code you will see scriptpub and scriptsig referred to as scriptPubKey and scriptSig.
Originally in this thread I referred to them as locking and unlocking scripts, but now that this section is here I think it's better I refer them by their actual names
P2PKH - Pay to Public Key HashThis has been around since Bitcoin's beginnings. It is used in addresses beginning with
"1", legacy addresses. The scriptpub for P2PKH is
OP_DUP OP_HASH160 <public key hash> OP_EQUALVERIFY OP_CHECKSIG
The scriptsig for this is simply the transaction signature and then the public key of the address.
What the opcodes doGood question. It's always handy to know how your transactions work. You can skip this if you're new or don't want to learn the opcodes.
- OP_DUP duplicates the public key.
- OP_HASH160 hashes the duplicated public key with SHA256 then RIPEMD160.
- OP_EQUALVERIFY compares the result of OP_HASH160 and the public key hash given before the opcode.
If they aren't equal, the transaction is marked as invalid.- OP_CHECKSIG generates a hash from the inputs, outputs and script and compares it to the signature and public key in the unlocking script for verification. If it doesn't verify then the transaction is invalid.
P2PK - Pay to Public KeyThe oldest, and also an uncommon, bitcoin script. It was used to make transactions with the public keys themselves instead of their hashes. Because the public keys are not hashed, transactions done with this script have
no associated address, only a public key. This resulted in transactions being unnecessarily large. P2PK scriptpubs and scriptsigs look like this:
It only verifies the signature, without doing any hashing.
P2SH - Pay to Script HashThis script was introduced in 2012 with BIP16. It enables you to create locking scripts that can be unlocked with a condition other than signature verification. OP_CHECKSIG is not used in P2SH addresses. P2SH scripts are used in bitcoin addresses beginning with a
"3".
Here are the scriptpubs and scriptsigs for P2SH:
OP_HASH160 <redeem script hash> OP_EQUAL
<signature> <redeem script signature>
This script doesn't look interesting by itself and that's because all of the locking is done inside the redeem script. The redeem script can have anything inside.
Custom scripts are beyond the scope of this guide so let's look at one of the standard scripts that can be wrapped inside a P2SH script.
P2MS - Pay to MultisigThis script makes an M-of-N transaction, that has N public keys of with M of those must sign the transaction to be valid. It was introduced in 2011 with BIP11. This script can be used by itself but it's usually wrapped inside P2SH scripts.
These are its scriptpubs and scriptsigs. They correspond to the redeem script hash and signature I mentioned above, though by no means is the redeem script required to be P2MS, it can be any custom script.
Suppose you want a 1-of-2 multisig with 2 public keys that 1 of them is required to sign. Then M=1 and N=2.
OP_1 <two public keys> OP_2 OP_CHECKMULTISIG
The first opcode in the scriptpub is M, the second opcode is for N, and OP_CHECKMULTISIG attempts to verify each signature, one at a time, with the N public keys and the script hash. If one signature doesn't verify against the public key the next public key is tried. As soon as a signature is verified it begins verifying the next one. In the scriptsig there should be M signatures.
In the scriptsig there is OP_0. We need it because OP_CHECKMULTISIG has a bug that makes it pop an extra value from the stack, so there needs to be a dummy value at the top of the scriptsig so that it gets popped.
P2WSH - Pay to Witness Script HashThis script type is almost similar to P2SH. The only difference between the two is that P2WSH transactions use SegWit, which stands for Segregated Witness. The reason it's named that is because Segwit removes the scriptsig from the transaction and stores the hash of the redeem script in the scriptpub area instead of storing the entire redeem script. This makes the scriptpub more compact. You can see an example of a P2WSH having no scriptsig at
Bitcoin Programming's azure page.
So the scriptpub changes from
OP_HASH160 <public key> OP_EQUAL
To:
And there is no scriptsig transmitted. 0 refers to the witness version, which is at version 0 right now so that is what should be the first value.
Nodes that don't have Segwit support interpret the above script to be two stack pushes. This has the side effect of them automatically reading them as valid transactions without checking any signatures. You might think this is an issue, because they are interpreting any transaction as valid. Actually it isn't an issue because only the newer nodes can create P2WSH transactions and they validate them in the usual way.
Addresses that use P2WSH have a
"3" in front of them.
P2WPKH - Pay to Witness Public Key HashJust like P2SH/P2WSH, this script is similar to P2PKH except it uses Segwit as well. It also removes the scriptsig and condenses the scriptpub to a number and a redeem script hash, so scriptpubs for P2WPKH now change from
OP_DUP OP_HASH160 <public key hash> OP_EQUALVERIFY OP_CHECKSIG
To
Notice this script looks the same as the one for P2WSH, the same notices I mentioned for P2WSH also apply to P2WPKH scripts. Also, only Segwit nodes can make P2WPKH transactions.
Addresses that use P2WPKH have
"bc1" in front of them. It is different from P2WSH because bc1 addresses use the bech32 address format which in turn uses P2WPKH scripts.
Material was gathered, and not quoted, from the following sources, in order of their use in this thread:
https://bitcoincore.org/en/segwit_wallet_dev/https://learnmeabitcoin.com/technical/p2pkhhttps://learnmeabitcoin.com/technical/p2pkhttps://learnmeabitcoin.com/technical/p2mshttps://learnmeabitcoin.com/technical/p2shhttps://programmingblockchain.gitbook.io/programmingblockchain/other_types_of_ownership/p2wsh_pay_to_witness_script_hashhttps://programmingblockchain.gitbook.io/programmingblockchain/other_types_of_ownership/p2wpkh_pay_to_witness_public_key_hash
Changelog:2020-08-28: Fix incorrect statements and add section about sigscript and scriptpub
