Taproot Output Key

The Taproot output key, denoted Q in BIP341, is the 32-byte X-only public key that actually appears in a Pay-to-Taproot (P2TR) scriptPubKey. It is derived by tweaking the internal key P with a commitment to the output's script tree: Q = P + t·G, where t = hashTapTweak(P || merkle_root) and G is the secp256k1 generator. Everything an outside observer sees about a Taproot output's spending conditions is encoded in this single key.

Indistinguishability and privacy

Because Q looks like any other public key, an on-chain observer cannot determine whether the output will be spent by a simple signature or by one of several hidden scripts. A key-path spend reveals nothing beyond a Schnorr signature; a script-path spend reveals only the one script used plus a merkle proof, never the siblings. This collapses many distinct contract types into one uniform output format.

Verification

For a key-path spend, validators check a BIP340 Schnorr signature directly against Q. For a script-path spend, validators take the revealed leaf, walk the merkle path from the control block to recompute the root, re-derive t, and confirm that P + t·G equals the committed Q (matching the X-coordinate and the parity bit). Only if this reconstruction succeeds is the script executed.

The output key is the public face of the Taproot Tweak; its components are the Taproot Internal Key and the Taproot Merkle Path.