Pay-to-Contract

Pay-to-contract is the cryptographic construction that lets a party embed an arbitrary commitment inside an ordinary-looking public key without changing how that key appears. Given an internal key P and some contract data c, the committed key is Q = P + H(P || c)·G. Because the tweak is added on the elliptic curve, Q is a valid public key for which the original keyholder can still sign, using the shifted private key p + H(P || c), while anyone shown both P and c can verify the commitment.

Taproot as pay-to-contract

BIP341 applies this scheme directly: the "contract" committed in a Taproot output is the merkle root of its script tree, and the published output key is the tweaked key Q. This is why a Taproot output can hide an entire tree of alternative spending conditions behind a single key that is indistinguishable from a plain payment. The commitment binds the keyholder to those scripts without anyone being able to detect their presence until one is used.

Security requirements

The hash must include the public key P as a prefix; committing to c alone would let an attacker who later learns the structure shift the commitment. Including P binds the tweak to that specific key and prevents such malleability. Tagged hashing provides the domain separation that keeps these commitments from colliding with other Bitcoin hash uses.

Pay-to-contract is the general pattern behind the Bitcoin-specific Taproot Tweak and the keys it links: the Taproot Internal Key and output key.