Taproot Internal Key

The Taproot internal key, written P in BIP341, is the public key a wallet selects as the foundation of a Taproot (SegWit v1) output before any script commitment is applied. It is not the key that appears on-chain; rather, it is tweaked with a commitment to the script tree to produce the published output key. In multiparty contexts P is typically an aggregated key from a protocol such as MuSig2, so a group of signers can present a single internal key.

Role in spending

The internal key defines the key-path spend: when all required parties cooperate, they sign for the tweaked key Q = P + t·G using the tweaked secret p + t, producing one 64-byte Schnorr signature that is indistinguishable from a single-signer payment. This is the cheapest, most private way to spend a Taproot output.

Disabling the key path

When the designer wants only script-path spends to be valid, the internal key is set to a NUMS ("nothing up my sleeve") point whose discrete logarithm is unknown to anyone, making key-path spending provably impossible. A common construction lifts the X-coordinate of hash("..." )-derived data to a curve point, optionally re-randomised, so no party can ever forge a key-path signature.

The internal key also reappears in the control block during a script-path spend, where its serialized X-coordinate lets verifiers reconstruct the tweak. See Taproot Tweak and the resulting Taproot Output Key.