Bitcoin Pay-to-Script-Hash: How P2SH Works

How Bitcoin's Pay-to-Script-Hash Hides Contract Complexity Until Spending Time

You're the accountant at a small company. Someone needs to pay the firm's bitcoin treasury. They message you asking for the address. You send a string starting with `3`. They paste it in, hit send, done. They have no idea that behind that address sit five public keys, three of which must sign before a single satoshi moves. They don't need to know. That was never their problem.

That's Pay-to-Script-Hash in one paragraph. The mechanism underneath it, though, is genuinely clever, and understanding it changes how you think about what a Bitcoin address actually is.

A Hash Is a Promise

Before P2SH (defined in BIP 16, activated on Bitcoin's mainnet in April 2012), sending funds to a multisig script meant the sender had to include the entire redeem script in the transaction output. A standard 2-of-3 multisig script runs to roughly 200 bytes. A 3-of-5 pushes past 300 bytes. Every byte in an output costs the sender fees and bloats the UTXO set, which every full node must store in memory indefinitely.

Worse: the sender had to construct that script correctly. One transposed byte in a public key and the funds are gone.

P2SH flips the burden. The recipient writes the spending conditions, hashes them, and hands the sender only that hash. The full script stays off-chain until the moment someone actually spends the coins.

The hash is a promise: "I know a script that hashes to this value, and when I want to spend, I'll prove it."

The Exact Mechanics, Step by Step

Here's the worked example worth keeping.

Alice runs a two-person partnership with Bob. They want a 2-of-2 multisig: both must sign every payment out. They construct the redeem script:

``` OP_2 <Alice_pubkey> <Bob_pubkey> OP_2 OP_CHECKMULTISIG ```

This is the redeemScript. It encodes the actual spending rule. They serialize it, run SHA-256 then RIPEMD-160 over the result (the same double-hash used for standard addresses), and get a 20-byte digest. Call it `H`.

The output script written into the blockchain is tiny:

``` OP_HASH160 <H> OP_EQUAL ```

Twenty bytes plus opcodes. Not 200. The UTXO set stores this compact commitment, and every node on the network holds it in RAM, waiting.

When Alice and Bob want to spend, they broadcast a transaction whose input scriptSig looks like this:

``` OP_0 <Alice_sig> <Bob_sig> <redeemScript> ```

The network does two things. First, it checks that `HASH160(redeemScript) == H`. Second, it executes the redeemScript itself against the provided signatures. Both checks must pass. If Alice accidentally provides the wrong redeemScript, the hash won't match and the transaction is invalid before a single signature is even examined.

This two-phase validation is the core insight. The output locks to a hash. The input unlocks by revealing the preimage and satisfying it.

What Gets Hidden, and For How Long

Everything. Until spend time.

A P2SH address encodes only `H`, wrapped in a version byte and a checksum. A blockchain explorer watching the output has no idea whether `H` represents a simple single-key script, a 2-of-2 multisig, a time-locked escrow requiring a specific block height before funds can move, or a hash-locked payment channel used as a primitive in the Lightning Network. The script is opaque.

This has a practical privacy consequence that most guides skip entirely. If you're paying a vendor and you use a P2SH address, you learn nothing about their custody setup. They might be a solo operator with one key. They might be a five-person team with hardware signing devices spread across three countries. You can't tell. The spending policy is revealed only when funds leave, and by then it's already spent.

For corporate treasuries, this is a feature, not a side effect. Disclosing your multisig quorum to every counterparty who pays you is a real operational security risk, not a theoretical one. P2SH eliminates it.

The Part That Trips People Up

Here's what people consistently get wrong: they think the hash protects the script from tampering during transit. It doesn't, not in the way you might assume.

The hash in the output is committed to the blockchain at funding time. Nobody can alter it without invalidating the transaction. So yes, the script is protected by the immutability of the chain. The catch: the sender has no way to verify what the script actually does. They're trusting the recipient gave them the correct address for the intended purpose.

If a malicious party swaps a legitimate P2SH address for one they control, the sender has no cryptographic way to detect it from the address alone. This isn't a flaw unique to P2SH. It applies to standard addresses too, and the lesson is the same one it always is: verify addresses out-of-band, ideally through multiple channels.

The other common confusion: P2SH addresses start with `3` on mainnet, which people sometimes mistake for a signal that the address is multisig. It isn't. A `3` address means P2SH. The script behind it could be almost anything valid in Bitcoin Script. A single-key P2PKH script wrapped in P2SH is technically valid, just pointlessly verbose.

Why This Pattern Kept Spreading

P2SH solved a real problem elegantly enough that Bitcoin's scripting evolution kept returning to the same structure. Pay-to-Witness-Script-Hash (P2WSH), introduced with SegWit in 2017, applies the identical logic to the witness data field, using a 32-byte SHA-256 hash instead of the 20-byte HASH160. Taproot extends the idea further: the output commits to a Merkle root of possible spending scripts, and only the branch actually used gets revealed at spend time.

The through-line is consistent. Commit to a hash. Reveal the preimage when you spend. Keep the UTXO set lean. Give the recipient control over their own spending conditions without burdening the sender.

Think of it like a wax-sealed letter lodged with a notary. The notary records that a letter exists and can describe the seal. They don't read it. Only when the time comes to act does the envelope open and its instructions get followed. The instructions were always yours to write.

So when you find a P2SH output in a transaction you're studying, ask yourself: what was behind that hash? The answer is sitting right there in the spending input's scriptSig, fully visible, the moment those coins moved. Everything before that moment was just twenty bytes, sitting quietly in the UTXO set, telling the world nothing except that someone, someday, would know the magic words. That's not a limitation of the design. That's the whole point.