P2MS (Pay To Multisig)
  • Hash256
  • Hash160
  • Reverse Bytes
Youtube Twitter

P2MS Pay To Multisig

P2MS is a script pattern that allows you to lock bitcoins to multiple public keys, and require signatures for some (or all) of those public keys to unlock it.

For example, you could create a P2MS script that includes the public keys of 3 different people, but only 2 of those people would need to provide their signatures to spend the bitcoins:

BIP 11: M-of-N Standard Transactions (18 October 2011)

Although P2MS is a standard script, it is now more common to wrap this type of script in a P2SH (see below).

How does P2MS work?

Multisig scripts are pretty straightfoward to create. For the locking script:

  1. Include an opcode M to indicate how many signatures are required.
  2. Include the public keys.
  3. Include another opcode N to indicate how many public keys there are.
  4. Put the CHECKMULTISIG opcode at the end.
scriptPubKey 514104cc71eb30d653c0c3163990c47b976f3fb3f37cccdcbedb169a1dfef58bbfbfaff7d8a473e7e2e6d317b87bafe8bde97e3cf8f065dec022b51d11fcdd0d348ac4410461cbdcc5409fb4b4d42b51d33381354d80e550078cb532a34bfa2fcfdeb7d76519aecc62770f5b0e4ef8551946d8a540911abe3e7854a26f39f58b25c15342af52ae
OP_1 04cc71eb30d653c0c3163990c47b976f3fb3f37cccdcbedb169a1dfef58bbfbfaff7d8a473e7e2e6d317b87bafe8bde97e3cf8f065dec022b51d11fcdd0d348ac4 0461cbdcc5409fb4b4d42b51d33381354d80e550078cb532a34bfa2fcfdeb7d76519aecc62770f5b0e4ef8551946d8a540911abe3e7854a26f39f58b25c15342af OP_2 OP_CHECKMULTISIG
P2MS
hex | opcodes inline | stack

To unlock a P2MS script, you just need to provide the required number of signatures. In this case M is one:

scriptSig 0047304402203f16c6f40162ab686621ef3000b04e75418a0c0cb2d8aebeac894ae360ac1e780220ddc15ecdfc3507ac48e1681a33eb60996631bf6bf5bc0a0682c4db743ce7ca2b01
OP_0 304402203f16c6f40162ab686621ef3000b04e75418a0c0cb2d8aebeac894ae360ac1e780220ddc15ecdfc3507ac48e1681a33eb60996631bf6bf5bc0a0682c4db743ce7ca2b01
hex | opcodes inline | stack

CHECKMULTISIG Bug: This opcode actually has a bug where it pops one extra element of the stack than it needs to (off-by-one error). So to avoid an error, we add a dummy value (typically OP_O) at the start of the scriptSig.

Executing

When this script executes, all of the signatures and public keys get pushed on to the stack.

Then we get to CHECKMULTISIG, which:

  1. Pops off N, and then pops that number of public keys of the stack.
  2. Pops off M, and then pops that number of signatures of the stack.

After popping all the public keys and signatures off the stack, it compares each signature with each public key:

  • If the signature does not match the public key, we move on to the next public key and check that one. However, that public key will also be ignored for every subsequent signature (so make sure you put your signatures in order in the scriptSig!).
  • If the signature matches the public key, we increment a tally and repeat for the next signature.

If the tally of valid signatures is equal to M after all of the signatures have been checked, then CHECKMULTISIG pushes a 1 on to the stack and the script is valid.

Where can you find P2MS scripts?

It's not common to find P2MS scripts in the blockchain, as most multisig transactions use the newer P2SH script instead.

According to this cool blockchain explorer, only 1% of all locking scripts are P2MS, so they can be hard to find.

According to this cool blockchain explorer, only 1% of all locking scripts are P2MS, so they can be hard to find.

Nonetheless, here are some example transactions that have P2MS locking scripts on their outputs:

You will not see any addresses for the P2MS locking scripts in the transactions above, as P2MS does not have its own address format (like P2PKH and P2SH do).

Why do we now use P2SH instead of P2MS?

Because by using P2SH you can avoid the disadvantages that come with a "raw" P2MS script:

  1. P2MS has no address format. So if you want someone to put a P2MS lock on your bitcoins, you will need to construct and send them the raw locking script yourself. Worse still, they may not be able to create this transaction for you, as most wallets only allow you to use addresses (and not raw scripts) when making a transaction.
  2. P2MS is limited to 3 public keys.1 The locking script of a P2MS can get pretty sizeable with all the public keys, so it's limited to 3 (to prevent too much data being stored in in the UTXO set). However, with P2SH you can use multisig locks with up to 15 public keys.

So you can still use P2MS if you want, but it's more convenient to use P2SH to achieve the same thing instead.

P2SH is basically a script that allows you to wrap another script inside it (e.g. P2MS).

So why do we have both P2MS and P2SH?

Because P2MS became a standard script before P2SH was available.

  • P2MS - Became a standard script in January 2012. 2
  • P2SH - Became a standard script in April 2012. 3 4

It could be removed as a standard script, but...

We can't just introduce a policy that breaks existing functionality. -- Pieter Wuille

So P2MS remains as a relic from the time before P2SH existed.

By Greg Walker,

Last Updated: 31 Jan 2019
  • 31 Jan 2019: script page checks and edits
  • 29 Jan 2019: Updated title images for script pages. Also added simple breadcrumb for these pages too.
  • 25 Jan 2019: removed unnecessary address code from example scripts
  • 25 Jan 2019: script examples now have hex switches and show the tooltips thanks to using the output.js file in browser/transaction/output
  • 23 Jan 2019: First draft of P2PK, P2PKH, P2MS, and P2SH pages.

Hey there, it's Greg.

I'll let you know about cool website updates, or if something seriously interesting happens in bitcoin.


Don't worry, it doesn't happen very often.