Pay To Public Key

A diagram showing the structure of a P2PK.

P2PK (Pay To Public Key) is a script pattern that locks an output to a public key.

It is a simpler version of the more-commonly used P2PKH locking script.

Legacy Script. This is a legacy script pattern and is rarely used.


How does P2PK work?


To create a P2PK lock you just need to place a public key and a OP_CHECKSIG opcode in the ScriptPubKey:


Transaction: 1db6251a9afce7025a2061a19e63c700dffc3bec368bd1883decfac353357a9d (Output 1)

The public key can either be an uncompressed public key (65 bytes) or a compressed public key (33 bytes). Both are fine to use within a P2PK. The example above contains a 65-byte uncompressed public key.


To unlock a P2PK you just need to provide a valid signature in the ScriptSig:


Transaction: e827a366ad4fc9a305e0901fe1eefc7e9fb8d70655a079877cf1ead0c3618ec0 (Input 0)


When the script runs, both the signature and public key are pushed on to the stack, and then the OP_CHECKSIG opcode verifies the signature against the public key and pushes a OP_1 on to the stack if the signature is valid.

If the signature is not valid, a OP_0 is pushed on to the stack and the script is invalid.

An animation showing the execution of a full P2PK script.


Where can you find P2PK scripts?

Despite being the simplest script for locking bitcoins to someone's public key, P2PK is not used as much as the similar (yet slightly more complex) P2PKH script.

Here are some examples of transactions using P2PK:

The coinbase transaction in the genesis block. This output has not been spent.
The first ever bitcoin transaction from Satoshi to Hal Finney. Satoshi actually used P2PK for both outputs in the first transaction, even though P2PKH was available. Probably because Hal was more than comfortable using public key cryptography directly, and Satoshi did not want to bother with the additional layer of complexity that comes with P2PKH.
This transaction contains a P2PK locked to a 33-byte compressed public key (as opposed to a 65-byte uncompressed public key in the examples above).

Coinbase Transactions

You'll most commonly find P2PK in coinbase transactions in the earlier blocks in the blockchain.

This is because the original Bitcoin Core miner would send the block reward to a P2PK when constructing a candidate block:

A diagram showing the output from an early coinbase transaction being locked to a P2PK.

It's pretty rare to find P2PK locking scripts being used in the wild these days.

Why did Satoshi use P2PK in the Bitcoin Core miner?

I'm not sure. Satoshi never gave a reason for this choice.

I think P2PKH was used as a convenient way for humans to make transactions, as it allowed you to use addresses instead of passing around your public key (which is longer). Whereas the miner does not need the convenience of addresses, so P2PK made for a simpler choice.

Why don't we use P2PK more often?

Because Satoshi designed P2PKH so that we can send each other shorter addresses instead of full public keys.

For convenience, Bitcoin wallets then only offered the ability to send bitcoins to addresses (which convert to P2PKH scripts), so the only way use P2PK is to construct one manually in a raw transaction.


Does P2PK have an address?

A P2PK does not have an official address. However, you'll sometimes find blockchain explorers displaying addresses for P2PK locking scripts, even though they technically do not have one.

For example, this is the ScriptPubKey on the output of the genesis transaction, which is using a P2PK locking script:


Transaction: 4a5e1e4baab89f3a32518a88c31bc87f618f76673e2cc77ab2127b7afdeda33b (Output 0)

This P2PK locking script does not have an official address, but some blockchain explorers will show that it has the address 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa:

Screenshot of the genesis transaction on the blockchain.com explorer.
Screenshot of the genesis transaction on the blockchain.com explorer.

This is actually what the address would have been if it was a P2PKH instead of a P2PK.

So when you see an address for a P2PK, the blockchain explorer has taken it upon themselves to HASH160 the public key inside the P2PK, then convert that to a base58 address to show you what the address for that output would have been if it was actually a P2PKH locking script instead.

Address (Base58)

So whilst P2PK and P2PKH are similar, and they would both lock coins to the same person if they both contain the same public key, it's not technically accurate to say that a P2PK locking script has an address.

The only benefit to finding the "addresses" for P2PKs is if you were doing some form of blockchain analysis, and wanted to see if coins had been locked to the same public key via a P2PK or P2PKH, and wanted to use an address as the search parameter.