Definition
The control block is the witness element that makes a Taproot script-path spend verifiable. A Taproot output commits to a whole tree of alternative spending scripts while revealing none of them; when a spender finally reveals one script (a tapleaf), the network needs proof that this script was genuinely committed to in the output rather than invented on the spot. The control block carries exactly that proof: the internal public key plus the Merkle path connecting the revealed leaf back to the tree root. It is a Merkle proof with a header byte — nothing more, and nothing less is needed.
Byte layout
A control block is always 33 + 32m bytes long, where m is the number of Merkle path elements (0 to 128). The first byte packs two things: its upper seven bits hold the leaf version (0xc0 for the initial tapscript version), and its lowest bit records the parity of the output key's Y coordinate — a single bit that lets verifiers reconstruct the full point from the x-only key encoding. The next 32 bytes are the Taproot internal key. Everything after that is a sequence of 32-byte sibling hashes forming the Merkle proof, deepest first. A tree with a single script needs no siblings at all (m = 0, a 33-byte control block), while the 128-element ceiling supports trees of staggering size — up to 2128 leaves, which is to say: more scripts than you will ever need.
Verification
To validate a script-path spend, a node recomputes the tagged TapLeaf hash from the revealed script and leaf version, then folds in each sibling hash from the control block — ordering each pair lexicographically — to rebuild the Merkle root. It then tweaks the internal key by that root and checks that the result matches the output key on the chain, parity bit included. If everything matches, the script was provably part of the committed tree and is allowed to execute with the remaining witness data as its inputs. The elegance is what this proof does not reveal: every other leaf in the tree stays hidden forever. Spend through your cooperative branch and the world never learns your timeout clause, your recovery multisig, or how many alternatives existed.
Cost and design implications
Each level of tree depth adds 32 bytes of witness data, so script placement is a fee decision: wallets put the branches most likely to be used near the top of the tree (short proofs, cheap spends) and bury rarely used contingencies deeper, where their 32-bytes-per-level cost will probably never be paid. And the cheapest path of all bypasses the control block entirely — a key-path spend with a single Schnorr signature reveals nothing about the tree's existence, needs no proof, and is indistinguishable from an ordinary single-sig payment.
The script being proven is a tapleaf, and the control block appears only on the script branch described in key path vs script path spend. Key-path spends need no control block at all — which is precisely the privacy design working as intended.
In Simple Terms
The control block is the witness element that makes a Taproot script-path spend verifiable. A Taproot output commits to a whole tree of alternative spending…
