On January 3, 2009, at approximately 18:15 UTC, a single computer somewhere in the world computed a SHA-256 hash below a target threshold and produced Block 0—the Genesis Block. Inside it was a coinbase transaction paying 50 BTC to a 65-byte public key, locked by the simplest possible script: push the key, check the signature. No addresses. No hashes. No redeem scripts. Just a raw public key and OP_CHECKSIG. This was P2PK—Pay to Public Key—and for the first thirteen days of Bitcoin's existence, it was the only transaction type.
Satoshi's original Bitcoin client used P2PK for two purposes: coinbase outputs (block rewards paid to the miner's public key) and IP-to-IP payments, a feature that allowed one node to send coins directly to another by requesting its public key over a TCP connection. The concept was simple: if you know someone's public key, you can create an output that only their corresponding private key can spend. No intermediate representation was needed. The public key was the identity.
What Satoshi apparently did not anticipate—or chose to accept as a reasonable trade-off—was that embedding the public key directly in the scriptPubKey exposes it to the entire network before the coins are spent. A sufficiently powerful adversary (or, someday, a quantum computer) could work backward from the public key to the private key and steal the funds. This vulnerability would motivate the transition to P2PKH within days, and it haunts Bitcoin to this day: an estimated 1.8 million BTC sits in P2PK outputs whose public keys are permanently visible on the blockchain.
We have already seen the P2PK script in Chapters 1 through 3. Here we formalize its structure as a transaction type—a specific pattern of scriptPubKey and scriptSig that Bitcoin nodes recognize and validate.
A P2PK scriptPubKey has exactly two elements:
<OP_PUSHBYTES_65> <65-byte uncompressed public key> ac
Or, with a compressed public key (33 bytes):
<OP_PUSHBYTES_33> <33-byte compressed public key> ac
In Script assembly:
<pubkey> OP_CHECKSIG
That's the entire locking condition: "provide a valid signature for this public key." No hashing, no address derivation, no multi-step verification.
To spend a P2PK output, the scriptSig contains a single element:
<OP_PUSHBYTES_71/72/73> <DER signature + SIGHASH byte>
In Script assembly:
<sig>
The signature is all that's needed because the public key is already in the scriptPubKey—the verifier doesn't need the spender to provide it again.
The Block 9 coinbase output that funded Satoshi's payment to Hal Finney is a P2PK output with a 67-byte scriptPubKey:
41 04 11 db 93 e1 dc db 8a 01 6b 49 84 0f 8c 53 bc
1e b6 8a 38 2e 97 b1 48 2e ca d7 b1 48 a6 90 9a
5c b2 e0 ea dd fb 84 cc f9 74 44 64 f8 2e 16 0b
fa 9b 8b 64 f9 d4 c0 3f 99 9b 86 43 f6 56 b4 12
a3 ac
| Bytes | Hex | Meaning |
|---|---|---|
| 1 | 41 | OP_PUSHBYTES_65: push the next 65 bytes |
| 65 | 04 11db… b412a3 | Uncompressed public key (prefix 04) |
| 1 | ac | OP_CHECKSIG |
| Total: 67 bytes |
The 04 prefix byte marks this as an uncompressed point on the secp256k1 curve: 1 byte prefix + 32 bytes \(x\)-coordinate + 32 bytes \(y\)-coordinate = 65 bytes total.
When Satoshi spent this output in Block 170, the scriptSig contained only the DER-encoded signature (71 bytes including SIGHASH):
47 30 44 02 20 4e 45 e1 69 32 b8 af 51 49 61 a1 d3
a1 a2 5f df 3f 4f 77 32 e9 d6 24 c6 c6 15 48 ab
5f b8 cd 41 02 20 18 15 22 ec 8e ca 07 de 48 60
a4 ac dd 12 90 9d 83 1c c5 6c bb ac 46 22 08 22
21 a8 76 8d 1d 09 01
| Bytes | Hex | Meaning |
|---|---|---|
| 1 | 47 | OP_PUSHBYTES_71: push the next 71 bytes |
| 70 | 3044… 1d09 | DER-encoded ECDSA signature |
| 1 | 01 | SIGHASH_ALL |
| Total: 72 bytes |
The combined P2PK script burden—72 bytes to unlock, 67 bytes to lock—totals 139 bytes for one coin lifecycle. A P2PKH equivalent requires 107 bytes to unlock (signature plus public key in the scriptSig) but only 25 bytes to lock (a 20-byte hash), totaling 132 bytes—a modest saving overall, but with a dramatically smaller output footprint (see Chapter 5). The 65-byte public key in the P2PK output accounts for nearly half the transaction.
Let us trace the Block 170 spend step by step through the script engine described in Chapter 2. When a node validates this input, it concatenates the scriptSig (unlocking) and the scriptPubKey (locking) into a single program:
<sig> from scriptSig
<pubkey> from scriptPubKey
OP_CHECKSIG from scriptPubKey
The stack machine processes each element left to right:
| Step | Operation | Stack (top → right) |
|---|---|---|
| 0 | (start) | empty |
| 1 | Push <sig> | [sig] |
| 2 | Push <pubkey> | [sig, pubkey] |
| 3 | OP_CHECKSIG | [TRUE] |
04) is pushed on top.OP_CHECKSIG pops both values. The node computes the sighash—a SHA-256d digest of the transaction data serialized according to the SIGHASH type (Chapter 3)—and verifies the ECDSA signature against the public key. If the signature is valid, TRUE is pushed; otherwise FALSE.The script succeeds because exactly one element remains on the stack and it is TRUE. This is the simplest possible script execution in Bitcoin: two pushes and one verification. Every later transaction type adds layers between these pushes—hashing, equality checks, witness segregation—but the final step is always the same: OP_CHECKSIG (or its variants) consuming a signature and a key.
The very first P2PK output ever created was the Genesis Block's coinbase, paying 50 BTC to a public key that belongs to Satoshi Nakamoto:
01 00 00 00
01
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff
4d 04 ff ff 00 1d 01 04 45 54 68 65 20 54 69 6d 65
73 20 30 33 2f 4a 61 6e 2f 32 30 30 39 20 43 68
61 6e 63 65 6c 6c 6f 72 20 6f 6e 20 62 72 69 6e
6b 20 6f 66 20 73 65 63 6f 6e 64 20 62 61 69 6c
6f 75 74 20 66 6f 72 20 62 61 6e 6b 73
ff ff ff ff
01
00 f2 05 2a 01 00 00 00
43 41 04 67 8a fd b0 fe 55 48 27 19 67 f1 a6 71 30
b7 10 5c d6 a8 28 e0 39 09 a6 79 62 e0 ea 1f 61
de b6 49 f6 bc 3f 4c ef 38 c4 f3 55 04 e5 1e c1
12 de 5c 38 4d f7 ba 0b 8d 57 8a 4c 70 2b 6b f1
1d 5f ac
00 00 00 00
The coinbase scriptSig (77 bytes, varint 4d) contains three encoded elements:
04 ffff001d — The compact difficulty target (4 bytes, pushed by OP_PUSHBYTES_4).01 04 — An extra nonce byte (pushed by OP_PUSHBYTES_1).45 followed by 69 bytes — The famous message, pushed by OP_PUSHBYTES_69:The Times 03/Jan/2009 Chancellor on brink of second bailout for banks
This is the most famous coinbase message in history—a headline from The Times of London, serving simultaneously as a timestamp proof (the block was mined on or after January 3, 2009) and a philosophical statement about why Bitcoin exists.
The 50 BTC in the Genesis Block cannot be spent. This is not by cryptographic design—the public key and script are valid—but because of an implementation detail in Satoshi's original code. The Genesis Block's coinbase transaction was hardcoded into the software rather than processed through the normal block-loading path, so it was never inserted into the UTXO set. When any transaction tries to reference this output, the node cannot find it and rejects the spend.
Whether this was intentional (a deliberate "sacrifice" of the first coins) or accidental has been debated for years. Satoshi never commented on it. Regardless, 50 BTC—worth millions of dollars at modern prices—will sit in this output forever, a permanent monument at the base of the blockchain.
The scriptPubKey of the Genesis coinbase uses a different public key than the one in Block 9. Comparing the first 8 bytes of each:
| Block | Public Key (first 16 hex chars) |
|---|---|
| Block 0 (Genesis) | 04 678afdb0fe5548 |
| Block 9 | 04 11db93e1dcdb8a |
Each block reward went to a different key. The original Bitcoin software generated a new key pair for each coinbase output—a pattern later dubbed the Patoshi pattern by researcher Sergio Demian Lerner, who identified a distinctive nonce-scanning behavior in approximately 22,000 early blocks that likely belong to Satoshi's miner.†
In 2013, Sergio Demian Lerner published an analysis showing that the first 36,000 blocks were dominated by a single miner with a distinctive nonce pattern: while other miners scanned nonces incrementally, this miner reduced the nonce search space in a way that left a visible "staircase" pattern in the ExtraNonce field. Lerner estimated that this miner—almost certainly Satoshi—accumulated approximately 1.1 million BTC across 22,000 blocks.
Every one of these coinbase outputs is P2PK, with the public key exposed in the scriptPubKey. None have ever been spent. They represent the single largest known concentration of P2PK outputs on the blockchain, and the largest known quantum-vulnerable Bitcoin holding.
For a cleaner specimen, consider the Block 9 coinbase—the transaction whose output Satoshi spent three days later in Block 170. At only 134 bytes, it is a minimal coinbase transaction:
01 00 00 00
01
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff
07 04 ff ff 00 1d 01 34
ff ff ff ff
01
00 f2 05 2a 01 00 00 00
43
41 04 11 db 93 e1 dc db 8a 01 6b 49 84 0f 8c 53
bc 1e b6 8a 38 2e 97 b1 48 2e ca d7 b1 48 a6 90
9a 5c b2 e0 ea dd fb 84 cc f9 74 44 64 f8 2e 16
0b fa 9b 8b 64 f9 d4 c0 3f 99 9b 86 43 f6 56 b4
12 a3 ac
00 00 00 00
Compare this to the Genesis Block: the coinbase scriptSig is only 7 bytes (04ffff001d0134) instead of 77—no embedded newspaper headline, just the compact difficulty target and an extra nonce byte. The scriptPubKey is identical in structure (67 bytes: 41 + 65-byte key + ac), and the public key matches the one that appears in Block 170's outputs—confirming that Satoshi used the same key for Block 9's coinbase reward and for the change output when sending coins to Hal Finney.
A coinbase transaction differs from a regular transaction in exactly three ways:
00, and the previous vout is ffffffff. These values are invalid for any real UTXO—they signal that this input creates new coins rather than spending existing ones.In every other respect—version, outputs, locktime, serialization—a coinbase transaction is identical to a regular transaction.
Why did Satoshi design P2PK at all? The answer lies in a feature that no longer exists: IP-to-IP payments.
The original Bitcoin client (version 0.1, released January 9, 2009) included a payment protocol that worked like this:
In this model, P2PK made perfect sense: the recipient provided their public key directly, so the sender used it directly. There was no need for an intermediate hash or address encoding—the public key was the address.
IP-to-IP payments were deprecated in the Bitcoin client's GUI around version 0.3.x (mid-2010) and fully removed from the codebase in version 0.8.0 (February 2013).† The feature had several problems:
Bitcoin addresses (first P2PKH, later P2SH and Bech32) solved all of these problems by encoding the payment destination as a string that could be shared offline, verified via checksum, and used regardless of whether the recipient was online.
Under the original protocol, there was no such thing as a Bitcoin "address" in the sense we use the word today. To pay someone, you needed their entire uncompressed public key—a 65-byte blob rendered as 130 hexadecimal characters:
04678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb649f6bc3f4cef38c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f
That is the Genesis coinbase "address"—Satoshi's public key, displayed exactly the way a 2009 user would have had to copy it from one place to another. The 04 prefix marks it as an uncompressed point on secp256k1; the next 32 bytes are the x-coordinate; the final 32 bytes are the y-coordinate. As a medium for human communication, it has every problem you can imagine:
This was workable only because P2PK was never meant for humans to handle directly. Under IP-to-IP payments, Alice's client received the key automatically over TCP from Bob's node—no typing, no copying, no reading aloud. The moment that assumption broke—when IP-to-IP was deprecated and users had to share payment destinations out-of-band, over email or instant message—the raw public key became unusable, and the need for a real address format became urgent.
Chapter 5 is the answer. Every failure listed above is something P2PKH addresses fix: a checksum catches typos, a version byte distinguishes networks, Base58 produces strings that are visually comparable and short enough to read aloud, and the familiar leading 1 gives every mainnet address an instantly recognizable shape.
The defining vulnerability of P2PK is that the public key is visible in the scriptPubKey from the moment the output is created—before anyone attempts to spend it. This has two consequences:
If the same public key appears in multiple P2PK outputs, all of those outputs are trivially linked. An observer can see that the same entity controls all of them. This is a privacy concern, though not a security one—no classical algorithm can recover the private key from the public key (the ECDLP is hard for classical computers).
A sufficiently powerful quantum computer running Shor's algorithm could solve the elliptic curve discrete logarithm problem in polynomial time, recovering the private key from the public key. For P2PK outputs, the public key is permanently visible, giving a quantum attacker unlimited time to work on the problem.
The quantum threat landscape differs dramatically between output types:
The practical difference: P2PKH outputs that have never been spent are quantum-resistant (the public key is hidden behind a hash). P2PK outputs are quantum-vulnerable regardless of whether they've been spent. All of Satoshi's estimated 1.1 million BTC is in P2PK coinbase outputs.
For a rigorous treatment of the mathematical progression from classical number theory through quantum computing to Shor's algorithm, see The Quantum Threat: A Mathematical Journey from Arithmetic to Shor's Algorithm (Hirschfield, 2026), particularly Chapters 17–20.
As of 2026, approximately 1.8 million BTC remains locked in P2PK outputs—the vast majority from early coinbase rewards. This includes:
At any given Bitcoin price, these P2PK outputs represent a significant fraction of the total supply that is permanently quantum-vulnerable. Various proposals have been floated to address this—from ignoring the problem ("quantum computers are decades away") to soft-forking the protocol to invalidate unspent P2PK outputs after a transition period—but no consensus has emerged.
All early P2PK outputs used uncompressed public keys (65 bytes, prefix 04). Later software introduced compressed keys (33 bytes, prefix 02 or 03):
The compression works because secp256k1 is defined by \(y^2 = x^3 + 7 \pmod{p}\). For any valid \(x\)-coordinate, there are exactly two valid \(y\) values: \(y\) and \(p - y\). One is even, one is odd. The prefix byte encodes which one:
02: \(y\) is even.03: \(y\) is odd.The receiver computes \(y\) from \(x\) using the equation and selects the correct root based on the prefix. This saves 32 bytes per output—significant when every byte is stored by every full node forever.
The OpenSSL library that Bitcoin's original code linked against defaulted to uncompressed key representation. Satoshi used OpenSSL's built-in functions for key generation and signature verification, and apparently did not override the default. Compressed key support was added to Bitcoin Core in version 0.6.0 (March 2012)†, more than three years after launch.
This is a recurring theme in Bitcoin's history: pragmatic choices in version 0.1—often dictated by library defaults rather than deliberate design—became permanent features of the protocol because consensus rules cannot be changed retroactively.
How much space does a P2PK transaction consume compared to later types? Let's calculate for a minimal 1-input, 2-output transaction (like Block 170):
| Field | Bytes | Notes |
|---|---|---|
| Version | 4 | Always 01000000 |
| Input count (varint) | 1 | |
| Previous txid | 32 | |
| Previous vout | 4 | |
| ScriptSig length | 1 | 48 = 72 |
| ScriptSig | 72 | Push opcode + DER sig + SIGHASH |
| Sequence | 4 | |
| Output count (varint) | 1 | |
| Output 0 value | 8 | |
| Output 0 scriptPubKey length | 1 | 43 = 67 |
| Output 0 scriptPubKey | 67 | Push + 65-byte key + ac |
| Output 1 value | 8 | |
| Output 1 scriptPubKey length | 1 | 43 = 67 |
| Output 1 scriptPubKey | 67 | Push + 65-byte key + ac |
| Locktime | 4 | |
| Total | 275 |
The two scriptPubKey fields consume \(2 \times 67 = 134\) bytes—nearly half the entire transaction. With compressed keys, these would be \(2 \times 35 = 70\) bytes, saving 64 bytes. With P2PKH (Chapter 5), they would be \(2 \times 25 = 50\) bytes, saving 84 bytes.
This size overhead was one of several motivations for the transition to P2PKH—not the primary one (that was the security benefit of hashing the key), but a meaningful secondary benefit as the blockchain grew.
P2PK stopped being used for regular transactions almost immediately after P2PKH was introduced (Block 728, January 16, 2009—just thirteen days after genesis). However, it continued to appear in coinbase transactions because many mining software implementations retained the original P2PK format for block rewards well into 2011–2012.
Today, P2PK is effectively a museum piece. No modern wallet software creates P2PK outputs, and no commonly used address format corresponds to P2PK (since P2PK predates Bitcoin addresses entirely). But the protocol still supports it: any node will validate a P2PK spend, and the estimated 1.8 million BTC in unspent P2PK outputs remains a live part of the UTXO set.
P2PK is the minimal viable Bitcoin transaction type: one public key, one signature verification. Every later type—P2PKH, P2SH, P2WPKH, P2WSH, P2TR—adds layers of indirection (hashing, redeem scripts, witness structures, Merkle trees) that improve privacy, efficiency, or functionality. But they all ultimately reduce to the same primitive: prove you hold the private key corresponding to a known public point on secp256k1.
Understanding P2PK deeply means understanding the atomic unit from which all of Bitcoin's transaction types are built.
04 indicate an uncompressed key, while 02/03 indicate compressed?OP_CHECKSIG against public key \(Q = dG\) is to know \(d\) or break the ECDLP.0x00, compute a 4-byte checksum (first 4 bytes of SHA-256d of the versioned payload), and Base58-encode the result. What address do you get? (Chapter 5 will verify your answer.)OP_CHECKMULTISIG to require \(m\) of \(n\) signatures. But this creates enormous scriptPubKeys (each key is 65 or 33 bytes, and \(n\) can be up to 20). How does P2SH (Chapter 6) solve this problem? (Hint: hash the entire script.)L1. The complete P2PK scriptPubKey is: 41 <65-byte pubkey> ac. That's OP_PUSHBYTES_65 (1 byte), the uncompressed public key (65 bytes), and OP_CHECKSIG (1 byte) = 67 bytes total. With a compressed key: 21 <33-byte pubkey> ac = 35 bytes.
L2. The P2PK scriptSig is: <push_opcode> <DER_signature + SIGHASH>. It contains exactly one element: the signature. The public key is not needed in the scriptSig because it's already in the scriptPubKey.
L3. False. The Genesis Block's 50 BTC cannot be spent by anyone, regardless of key knowledge. The coinbase transaction was hardcoded into Bitcoin's source code and was never added to the UTXO set. The node software will reject any transaction that tries to spend it because it cannot find the output in the UTXO database.
L4. The prefix byte indicates the key encoding format: 04 means both coordinates (\(x\) and \(y\)) follow (65 bytes total). 02 means only \(x\) follows and \(y\) is even; 03 means only \(x\) follows and \(y\) is odd. The receiver recovers \(y\) from the curve equation \(y^2 = x^3 + 7 \pmod{p}\) and selects the root matching the parity indicated by the prefix.
L5. An uncompressed P2PK scriptPubKey is 67 bytes. A compressed P2PK scriptPubKey is 35 bytes. The savings: \(67 - 35 = 32\) bytes per output (exactly the \(y\)-coordinate that was removed, plus the 32-byte difference between the 65-byte and 33-byte key representations: \(65 - 33 = 32\)).
H1. Parsing the 204-byte Genesis Block coinbase:
| Field | Bytes | Value |
|---|---|---|
| Version | 4 | 01000000 (version 1) |
| Input count | 1 | 01 (1 input) |
| Prev txid | 32 | 00… 00 (coinbase null) |
| Prev vout | 4 | ffffffff (coinbase marker) |
| ScriptSig length | 1 | 4d = 77 bytes |
| ScriptSig | 77 | Difficulty + "The Times…" |
| Sequence | 4 | ffffffff |
| Output count | 1 | 01 (1 output) |
| Value | 8 | 00f2052a01000000 = 5,000,000,000 sats |
| scriptPubKey length | 1 | 43 = 67 bytes |
| scriptPubKey | 67 | 41 04678a… 1d5f ac (P2PK) |
| Locktime | 4 | 00000000 |
| Total | 204 |
H2. The Genesis Block public key's \(x\)-coordinate (hex):
678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb6
To verify: compute \(x^3 + 7 \pmod{p}\) where \(p = 2^{256} - 2^{32} - 977\). If the result is a quadratic residue modulo \(p\) (i.e., has a square root), then \(x\) is a valid curve point. This can be checked using Euler's criterion: \(a^{(p-1)/2} \equiv 1 \pmod{p}\) iff \(a\) is a QR. (Use Python's pow(x**3 + 7, (p-1)//2, p) — it should return 1.)
H3. The 70-byte difference is entirely in the coinbase scriptSig: the Genesis Block's scriptSig is 77 bytes (varint 4d) including the newspaper headline, while Block 9's scriptSig is only 7 bytes (varint 07). The scriptPubKey lengths are identical (67 bytes each), and all other fields are the same size. Difference: \(77 - 7 = 70\) bytes.
H4. Applying RIPEMD-160(SHA-256(pubkey)) to each 65-byte uncompressed key:
Output 0 (10 BTC to Hal Finney, key prefix 04ae1a62…):
Hash160: fc916f213a3d7f1369313d5fa30f6168f9446a2d
Prepend version byte 00, compute 4-byte checksum (SHA-256d), Base58-encode:
1Q2TWHE3GMdB6BZKafqwxXtWAWgFt5Jvm3
Output 1 (40 BTC change to Satoshi, key prefix 0411db93…):
Hash160: 11b366edfc0a8b66feebae5c2e25a7b6a5d1cf31
Base58Check address:
12cbQLTFMXRnSzktFkuoG3eHoMeFtpTu3S
These are the P2PKH addresses that block explorers display as "associated addresses" for these P2PK outputs. You can verify both on mempool.space by looking up the Block 170 transaction (f4184fc5…). Chapter 5 will trace the full derivation pipeline—SHA-256, RIPEMD-160, version byte, checksum, Base58 encoding—step by step.
P1. Let \((x, y)\) be a point on secp256k1, so \(y^2 \equiv x^3 + 7 \pmod{p}\). Then \((p-y)^2 = p^2 - 2py + y^2 \equiv y^2 \equiv x^3 + 7 \pmod{p}\), so \((x, p - y)\) is also on the curve.
For parity: \(p\) is odd (it's a large prime \(> 2\)). If \(y\) is even, then \(p - y\) is odd (odd minus even = odd). If \(y\) is odd, then \(p - y\) is even. So exactly one of \(\{y, p-y\}\) is even, and the prefix byte (02 for even, 03 for odd) uniquely identifies which \(y\)-value to use.
P2. Assume ECDSA is secure (the ECDLP is hard). The P2PK scriptPubKey contains public key \(Q = dG\), and OP_CHECKSIG verifies that the scriptSig contains a valid ECDSA signature \((r, s)\) on the sighash \(z\) under key \(Q\).
By the security of ECDSA, producing a valid \((r, s)\) for a given \((z, Q)\) requires either: (a) knowledge of the private key \(d\), or (b) an algorithm that solves the ECDLP (computing \(d\) from \(Q = dG\)). Since we assumed the ECDLP is hard, only (a) is feasible.
Note: this argument assumes the hash function (SHA-256d) is collision-resistant. If an attacker could find a collision in the sighash, they could potentially reuse a signature from a different transaction—but this would require breaking SHA-256, not ECDSA.
P3. For a P2PK transaction with \(n\) inputs and \(m\) outputs (uncompressed keys):
Total P2PK: \(10 + 113n + 76m\) bytes.
For P2PKH (Chapter 5 preview):
Total P2PKH: \(10 + 148n + 34m\) bytes.
Difference: \((113n + 76m) - (148n + 34m) = -35n + 42m\).
P2PK is smaller per input (113 vs. 148, because the scriptSig only needs the signature, not the public key) but larger per output (76 vs. 34, because the scriptPubKey stores the full key instead of a 20-byte hash). The break-even point is \(35n = 42m\), or \(n/m = 6/5\). Transactions with more outputs than inputs (common for batch payments) benefit most from P2PKH's compact outputs.
C1. As of 2026, the most powerful quantum processors have 1,000–1,200 physical qubits (IBM Condor: 1,121; Atom Computing: 1,180). Breaking secp256k1's 256-bit ECDLP requires an estimated 2,330 logical qubits using Shor's algorithm.† With current error rates, each logical qubit requires thousands of physical qubits for error correction, putting the total requirement at millions of physical qubits.
Optimistic estimates (e.g., Google's Willow chip roadmap) suggest fault-tolerant quantum computers with millions of qubits could arrive by the late 2030s or 2040s. More conservative estimates place this in the 2050s or beyond.
The Bitcoin community has several options: (1) do nothing and rely on the timeline being long; (2) implement quantum-resistant signature schemes (lattice-based, hash-based) via soft fork; (3) migrate UTXOs to quantum-resistant address types, potentially with a deadline after which unspent P2PK outputs are frozen or burned. Each option has trade-offs in complexity, urgency, and political feasibility.
C2. Lightning Network funding transactions use 2-of-2 multisig with raw (unhashed) public keys in the witness script. The reason: Lightning requires both parties to construct and sign transactions before the funding transaction is broadcast. The internal scripts (commitment transactions, HTLCs) reference the raw keys because the parties already know each other's keys from the channel opening protocol. Hashing the keys would add no security benefit (both parties already know the keys) and would increase the witness size. The trade-off is that the public keys are revealed when the channel closes on-chain, but since Lightning channels are meant to be ephemeral, the quantum exposure window is limited.
B1. Starting with the Block 9 coinbase public key (0411db93… b412a3):
00: 21 bytes.Starting from the 65-byte key 0411db93e1dcdb8a… b412a3:
11b366edfc0a8b66feebae5c2e25a7b6a5d1cf31 (20 bytes).00: 0011b366edfc0a8b66feebae5c2e25a7b6a5d1cf31 (21 bytes).12cbQLTFMXRnSzktFkuoG3eHoMeFtpTu3S
This is the same address computed in H4 for Satoshi's change output—because the Block 9 coinbase and the Block 170 change both use the same public key. Chapter 5 will trace each of these steps in detail and explain the design choices behind Base58Check encoding.
B2. Bare multisig places all \(n\) public keys directly in the scriptPubKey: OP_m <key1> <key2> … <key_n> OP_n OP_CHECKMULTISIG. For a 2-of-3 with uncompressed keys, this is \(1 + 66 + 66 + 66 + 1 + 1 = 201\) bytes—far larger than P2PK's 67 bytes. P2SH solves this by replacing the entire multisig script with its 20-byte hash in the scriptPubKey: OP_HASH160 OP_PUSHBYTES_20 <20-byte hash> OP_EQUAL (23 bytes: a9 14 + 20 bytes + 87). The full script (the "redeem script") is provided in the scriptSig when spending. This moves the storage cost from output creation to spending, and keeps output sizes constant regardless of script complexity.