There is a key distinction between P2PKH and P2SH (and SegWit, Taproot).
P2PKH continues to be utilizing the “naked” Script. It’s user-implemented commit-reveal, not a modification of the Script VM system. P2PKH was there proper from the beginning (first P2PKH UTXO appeared on Jan 16 2009): How did pay-to-pubkey hash come about? What’s its historical past?
Seems to be like intention was simply to cut back the scale of addresses, quoting Satoshi:
To make Bitcoin Addresses quick, they’re a hash of the general public key, not the general public key itself. An attacker would solely have to interrupt the hash perform, not ECDSA.
It is fascinating that no one in that correspondence talked about post-quantum safety, they usually appeared to be extra involved about breaking 160-bit hash with classical assaults. Seems, even 160-bit P2PKH addresses are in all probability secure at relaxation: Publish-quantum preimage resistance of HASH160 addresses and collision shouldn’t be actually an issue when sole proprietor of an deal with could be holding each pubkeys. Collision resistance issues for multi-party P2SH addresses:
In case you are agreeing to lock up funds with any individual else, they usually management what public key to make use of, you might be vulnerable to collision assaults.
P2SH and others are consensus-implemented commit-reveals which modify Script analysis. P2SH execution has 2 levels: script authentication (1st VM run: it is only a hashlock in that context) and execution (2nd VM run: consensus “hacks” the VM state to arrange the redeem script execution context). Extra on this right here.
Why did issues go this manner? Studying P2SH proposal (BIP-0016) we are able to see that predominant motivation was simplifying UX when funding contracts.
The aim of pay-to-script-hash is to maneuver the duty for supplying the circumstances to redeem a transaction from the sender of the funds to the redeemer.
The profit is permitting a sender to fund any arbitrary transaction, irrespective of how difficult, utilizing a fixed-length 20-byte hash that’s quick sufficient to scan from a QR code or simply copied and pasted.
…
The creator believes that this BIP will reduce the modifications wanted to all the supporting infrastructure that has already been created to ship funds to a base58-encoded-20-byte bitcoin addresses, permitting retailers and exchanges and different software program to begin supporting multisignature transactions sooner.
Since then, Bitcoin (BTC) locked within the “thou shall not exhausting fork” improve philosophy, which closely influenced the design of later upgrades – the place all of them needed to be designed as gentle forks, resulting in VM-ception created by SegWit and Taproot.
It is fascinating to check Script evolution with its forked sibling (Bitcoin Money, BCH), which upgrades via exhausting forks and has since launched “test signature from stack”, TX introspection opcodes, persistent contract state (via native tokens), VM loops, capabilities, and so forth. which enabled public “anyonecanspend” contracts: as an alternative of requiring a signature, the contract requires the spender to assemble the TX in a specific approach that satisfies the contract necessities.
Seems, P2SH complicates these, as a result of P2SH contracts are secret till spent, which conflicts with the “public use” nature of contracts like DEX AMM UTXOs and so forth. as a result of they turn into more durable to find. They should both use a continuing deal with, or they should announce contract parameters in some OP_RETURN, so spenders can reconstruct the redeem script.
Due to this, the Might 2026 improve will likely be eradicating “standardness” relay guidelines, so such contracts might be made as “naked” pay-to-script as an alternative of P2SH.
P2S can work effectively at present as a result of the UX for DeFi functions is totally different from the previous “ship to handle”. With dapps you do not pay to an deal with. Usually, you entry some frontend which finds right UTXOs and constructs right outputs for the consumer, and the consumer indicators simply his enter via WalletConnect or comparable.
