Support for P2WSH-wrapped P2TR addresses

Given that Taproot addresses use a new SegWit version and a new address encoding (bech32m), it’s reasonable to expect a transition from the ecosystem to this new address version similar to what we saw for the P2PKH/P2SH -> P2WPKH/P2WSH transition. It wouldn’t be strange if we see at the very least a multi-month transition period, where some wallets can generate Taproot addresses, but many services like exchanges don’t support making withdrawals to these new addresses.

Following that line of thinking, the transition to Taproot could be much smoother for wallets and end-users if we had a strategy similar to what the P2SH-wrapped outputs did for SegWit.

In BIP341, there’s a security argument for why P2SH-wrapped outputs are not supported: since they use a 160-bit hash, they only provide 80 bits of collision resistance, which is too low. However, after 3.5 years of transition, most of the industry already supports withdrawals to P2WSH addresses. P2WSH outputs use a 256-bit hash, which provides the same 128 bits of collision resistance as the top-level P2TR outputs.

Is there any other reason for not supporting P2WSH-wrapped P2TR outputs?

Continue reading Support for P2WSH-wrapped P2TR addresses