Skip to main content


The vast majority of transactions processed on the bitcoin network spend outputs locked with a Pay-to-Public-Key-Hash or “P2PKH” script. These outputs contain a locking script that locks the output to a public key hash, more commonly known as a bitcoin address. An output locked by a P2PKH script can be unlocked (spent) by presenting a public key and a digital signature created by the corresponding private key.

Back when Bitcoin launched in 2009, this was the only way to create an address. Today, this uses the most amount of space inside a transaction and is, therefore, the most expensive address type.


Traditional bitcoin addresses begin with the number “1” and are derived from the public key, which is derived from the private key. Although anyone can send bitcoin to a “1” address, that bitcoin can only be spent by presenting the corresponding private key signature and public key hash.


Suppose a person has to pay some amount of bitcoin for a product bought at a Coffee Shop. That transaction output would have a locking script of the form:


The Coffee Shop Public Key Hash is equivalent to the bitcoin address of the Coffee Shop, without the Base58Check encoding. Most applications would show the public key hash in hexadecimal encoding and not the familiar bitcoin address Base58Check format that begins with a “1.”

The preceding locking script can be satisfied with an unlocking script of the form:

<Coffee Shop Signature> <Coffee Shop Public Key>

The two scripts together would form the following combined validation script:

<Coffee Shop Signature> <Coffee Shop Public Key> OP_DUP OP_HASH160
<Coffee Shop Public Key Hash> OP_EQUALVERIFY OP_CHECKSIG

When executed, this combined script will evaluate TRUE if, and only if, the unlocking script matches the conditions set by the locking script. In other words, the result will be TRUE if the unlocking script has a valid signature from the coffee shop’s private key that corresponds to the public key hash set as an encumbrance.