P2MS (Pay-to-Multisig): The Anchor Guide to Bare Multisig
P2MS (Pay-to-Multisig): The Anchor Guide to Bare Multisig
Executive Summary: Pay-to-Multisig (P2MS), often referred to as "Bare Multisig," is the primitive Bitcoin script type that enables multi-party ownership. It follows an M-of-N logic, where a transaction requires $M$ signatures from a predefined set of $N$ public keys to be considered valid. While largely superseded by the more efficient P2SH (Pay-to-Script-Hash) format, P2MS remains the functional engine beneath every multisig wallet in existence today.
🔍 Why This Module Matters
One of Bitcoin's greatest strengths is that it doesn't require a single "Owner." It can be owned by a board of directors, a pair of spouses, or a distributed group of escrow agents. This capability is powered by P2MS. This module will deconstruct the "Bare" multisig format, explaining how it works at the script level, why it doesn't have a standard address format, and the technical limitations that led to the development of P2SH. Mastering P2MS is the prerequisite for understanding complex Bitcoin smart contracts.
🏛️ The M-of-N Model: Collaborative Security
P2MS allows you to create a "Joint Account" with mathematical enforcement.
1. The Threshold (M)
The number of signatures required to authorize a spend.
- Example (2-of-3): You need any two out of the three keys to agree. This protects against a single person going rogue or a single key being stolen.
2. The Set (N)
The total pool of potential signers.
- Protocol Limit: In "Bare" P2MS, the Bitcoin network generally only relays scripts with up to 3 public keys. For larger sets (up to 15 or more), you must use P2SH.
⚙️ The "Bare" Problem: Why We Don't See P2MS Addresses
If you look at your wallet, you see addresses like 1BvBM... or bc1q.... You will never see a P2MS address.
-
Raw Script: P2MS is a "Bare" script. It lives in the transaction output directly.
-
The Burden: To pay someone via P2MS in 2011, you couldn't just "send to an address." You had to manually construct a transaction that included all of their public keys.
-
The Result: This put the burden of "Script Construction" on the Sender rather than the Recipient. This is the opposite of how almost every other payment system works.
🛠️ Comparison: Bare Multisig vs. Hashed Multisig (P2SH)
| Feature | P2MS (Bare) | P2SH (Standard) |
|---|---|---|
| Locked To | Raw Public Keys | A Hash of the Script |
| Address | No (Raw Script) | Yes (Starts with a '3') |
| Privacy | Low (All keys are public) | High (Keys hidden until spend) |
| Fees | High (Long scripts in output) | Low (Recipient pays for script size) |
| Key Limit | Usually 3 | Up to 15 |
💎 Use Cases: When is P2MS used today?
While rare for normal payments, P2MS is still seen in specific technical contexts:
-
OP_RETURN Metadata: Some protocols use 1-of-1 P2MS to store small amounts of data in a transaction output.
-
Miner Signaling: Early versions of miner signaling for soft forks used bare multisig scripts.
-
Experimental Scripts: Developers testing new "Lock" patterns often start with bare scripts before wrapping them in P2SH or SegWit.
🛡️ The "Off-by-One" Legacy Bug
P2MS is famous for a technical quirk called the OP_CHECKMULTISIG bug.
-
The Bug: Due to an error in the original C++ code by Satoshi, the
OP_CHECKMULTISIGoperator accidentally "pops" one extra item off the stack. -
The Fix: Instead of fixing the code (which would have been a hard fork), the community agreed to always push a "Dummy" value (usually a zero byte) onto the stack before the signatures.
-
The Result: Every multisig spend in Bitcoin history has an extra
0x00byte in its input because of this 2009 bug.
🎯 Learning Objectives for this Module
By the end of this module, you will be able to:
-
Define P2MS and the M-of-N threshold model.
-
Explain why P2MS is called "Bare" multisig.
-
Identify the technical burdens that made P2MS difficult for normal users.
-
Contrast P2MS with P2SH in terms of privacy and address formatting.
-
Understand the "Extra Zero" bug and why it persists in Bitcoin today.
🗺️ Module Roadmap: What's Next?
Now that we've seen the logic of multi-party ownership, we will look at the bytes:
-
P2MS ScriptPubKey Structure: Deconstructing the
OP_CHECKMULTISIGcommand. -
The Off-By-One Bug: A technical walkthrough of the stack error.
-
Consensus Limits: Why nodes won't relay multisig scripts larger than 3 keys.
-
Python P2MS Auditor: Writing a script to verify a multi-signature spend.
🎓 Summary
P2MS is the "Primal" smart contract of Bitcoin. It proved that decentralized money could be managed by a consensus of people, not just a single individual. While we have moved to more efficient formats like P2SH and Taproot, the core logic of M-of-N remains the most powerful security tool in the Bitcoin ecosystem.
TeachMeBitcoin is an ad-free, open-source educational repository curated by a passionate team of Bitcoin researchers and educators for public benefit. If you found our articles helpful, please consider supporting our hosting and ongoing content updates with a clean donation: