Scriptless Script

What Is a Scriptless Script?

A scriptless script is a technique for enforcing smart contract conditions using the mathematical properties of digital signatures rather than explicit on-chain script code. Instead of writing spending conditions into Bitcoin Script (which is visible on the blockchain), scriptless scripts embed those conditions directly into the signature construction process. The result is a transaction that looks identical to an ordinary single-signature spend on-chain, even though it enforces complex multi-party agreements off-chain.

The concept was developed by Andrew Poelstra, Research Director at Blockstream, originally motivated by his work on Mimblewimble: a protocol so constrained that it has no scripting language at all. Poelstra discovered that the linearity of Schnorr signatures could be exploited to construct and combine signatures in ways that enforce agreements between parties without revealing any contract logic to the network. He presented the idea at the Scaling Bitcoin conference in 2017 and at Real World Crypto 2018.

With Bitcoin's Taproot upgrade activating in November 2021 and bringing native Schnorr signature support via BIP-340, scriptless scripts became practical for Bitcoin's main network. They represent a fundamentally different approach to smart contracts: rather than making contracts more expressive on-chain, they move contract logic off-chain entirely.

How It Works

To understand scriptless scripts, it helps to first review how Schnorr signatures work. A Schnorr signature on a message m with private key x and corresponding public key P = xG is computed as:

1. Choose a random nonce k and compute R = kG
2. Compute challenge e = H(R || P || m)
3. Compute signature scalar s = k + ex
4. The signature is the pair (R, s)

Verification checks that sG = R + eP. The critical insight behind scriptless scripts is that this equation is linear: signatures can be added, subtracted, and combined in ways that reveal or conceal specific values.

Adaptor Signatures

The core primitive powering scriptless scripts is the adaptor signature. An adaptor signature is a modified, incomplete signature that is "offset" by a secret value t. It can only be turned into a valid signature by someone who knows that secret.

The relationship works as follows: given a secret value t, its corresponding adaptor point T = tG, and an adaptor signature s', knowing any two of the three elements (secret, adaptor signature, final signature) lets you compute the third:

// Adaptor signature (incomplete)
s' = k + ex          // Missing the secret t

// Full valid signature
s = s' + t = k + ex + t

// Anyone who sees both s' and s can recover t
t = s - s'

The party receiving the adaptor signature can verify that it will become a valid signature once the secret t is added, without knowing t itself. They verify this against the publicly known adaptor point T. This is what makes the protocol trustless: the verifier is cryptographically certain that publishing the final signature will reveal the secret.

Trustless Secret Exchange

This property creates a powerful mechanism: when one party publishes the completed signature to the blockchain, the other party can extract the secret by comparing the published signature with the adaptor signature they received earlier. The act of spending becomes the act of revealing a secret, and both happen atomically.

Unlike HTLC-based approaches that expose a hash and preimage on-chain, adaptor signatures reveal secrets purely through the mathematical relationship between signature values. No contract logic, hash, or preimage ever appears in the transaction.

Use Cases

Scriptless Atomic Swaps

Traditional atomic swaps rely on HTLCs: both chains must support compatible scripting, and the hash preimage is visible on-chain, linking the two transactions. Scriptless atomic swaps replace this mechanism entirely:

1. Alice and Bob agree to swap assets across two chains that both support Schnorr signatures
2. Alice generates a secret t and shares the adaptor point T = tGwith Bob
3. Bob creates a transaction on his chain and gives Alice an adaptor signature locked toT
4. Alice creates a transaction on her chain and gives Bob an adaptor signature locked to the same T
5. Alice completes Bob's adaptor signature by adding t and publishes it to claim Bob's funds
6. Bob sees the published signature, subtracts the adaptor signature he gave Alice, and recovers t
7. Bob uses t to complete Alice's adaptor signature and claims her funds

Both transactions look like ordinary single-signature spends. No observer can tell that an atomic swap occurred, and the two transactions on different chains cannot be linked through on-chain data.

Point Time-Locked Contracts (PTLCs)

PTLCs are the adaptor signature equivalent of HTLCs for Lightning Network payment routing. Where HTLCs use the same hash across every hop (allowing observers to correlate payment paths), PTLCs use adaptor signatures with different adaptor points at each hop.

Each forwarding node receives an adaptor signature that it can only complete by learning the secret from the next hop. The secrets at each hop are related by known offsets, so the mechanism still works end-to-end, but no two hops share the same cryptographic value. This breaks the correlation that makes HTLC-based routing vulnerable to probing and surveillance. For a deeper look at this evolution, see the research article on PTLCs.

Discreet Log Contracts

Discreet log contracts (DLCs) use adaptor signatures to create oracle-based financial contracts. An oracle publishes a commitment to a future attestation point. The contract parties construct adaptor signatures for each possible outcome, locked to the corresponding oracle attestation. When the oracle publishes its attestation, the winning party can complete the relevant adaptor signature and claim funds. The oracle never learns that a contract depends on its attestation, and the contract is invisible on-chain. For a detailed explanation, see the DLC research article.

Multi-Hop Locks

Payment channel networks can use scriptless scripts to build multi-hop payment locks that are more private than hash-based locks. Each hop uses a different adaptor point, preventing intermediate nodes from determining whether they are forwarding the same payment. This is a foundational improvement for onion-routed payment networks.

Privacy and Efficiency Benefits

Scriptless scripts provide two major advantages over traditional script-based contracts:

Privacy

A transaction using scriptless scripts is indistinguishable from an ordinary P2TR (Pay-to-Taproot) spend on-chain. No script, hash, or contract logic is revealed. This provides several privacy properties:

• Contract terms are known only to the parties involved, not to the network
• Transactions cannot be classified by contract type (swap, DLC, PTLC) through blockchain analysis
• Multiple transactions involved in a contract cannot be linked to each other on-chain
• The existence of a contract is deniable: both parties can claim the transaction was an ordinary payment

This is a significant improvement over HTLC-based protocols, where the hash preimage on-chain creates an explicit fingerprint that chain analysis firms can use to identify and track contract activity.

Efficiency

Because no script data is stored on-chain, scriptless script transactions consume less block space than their script-based equivalents. A scriptless atomic swap produces two transactions that each contain only a public key and a signature: the same size as any other Taproot key-path spend. In contrast, an HTLC-based swap requires larger witness data containing the hash preimage and script.

Reduced transaction size means lower fees for the parties involved and less burden on the overall network.

Relationship to Taproot and Schnorr

Scriptless scripts depend on the linearity property of Schnorr signatures, which allows signature components to be added and subtracted algebraically. Bitcoin's previous signature scheme, ECDSA, does not have this linearity, making adaptor signatures significantly more complex (though research exists on ECDSA-based adaptor signatures with additional assumptions).

The Taproot upgrade (BIP-341) combined with Schnorr signatures (BIP-340) made scriptless scripts practical on Bitcoin. Taproot's key-path spending means that when all parties cooperate, a transaction reveals nothing but a single public key and signature, regardless of the contract complexity hidden behind it. This is the ideal environment for scriptless scripts. For a broader view of what Taproot and Schnorr enable, see the Taproot and Schnorr research article.

Multi-party scriptless scripts also benefit from protocols like MuSig2 (BIP-327), which enables efficient multi-party Schnorr signing. Combined with adaptor signatures, MuSig2 allows groups of participants to collaboratively construct scriptless script contracts.

Risks and Considerations

Interactive Protocols

Scriptless scripts require multiple rounds of communication between parties to construct the adaptor signatures. Unlike script-based contracts where conditions are encoded on-chain and can be evaluated independently, scriptless script participants must be online and exchange messages during setup. This interactivity can be a challenge for applications that need asynchronous operation.

Limited to Schnorr-Compatible Chains

Cross-chain scriptless atomic swaps require both chains to support Schnorr-compatible signature schemes. Chains using only ECDSA or other non-linear signature algorithms cannot directly participate, although research into ECDSA-based adaptor signatures partially addresses this limitation.

Implementation Complexity

While scriptless scripts simplify on-chain data, they shift complexity to the off-chain protocol layer. Implementations must carefully manage nonce generation, adaptor signature verification, and secret extraction. Nonce reuse, in particular, can be catastrophic: it can leak private keys. Developers building on these primitives need a strong understanding of the underlying elliptic curve cryptography.

Adoption Status

Despite Taproot being active since November 2021, widespread adoption of scriptless scripts in production systems is still in progress. PTLCs are not yet implemented in major Lightning Network clients, and scriptless atomic swap tooling remains relatively experimental compared to HTLC-based alternatives. The cryptographic foundations are well-established, but engineering production-grade implementations takes time.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.