From: Anthony Towns <aj@erisian•com.au>
To: Rusty Russell <bitcoin-dev@rustcorp•com.au>
Cc: bitcoindev@googlegroups.com, Julian Moik <julianmoik@gmail•com>
Subject: Re: [bitcoindev] [4/4] New Opcodes for Tapscript v2
Date: Mon, 6 Oct 2025 21:29:41 +1000 [thread overview]
Message-ID: <aOOoJfCFH85AUYtp@erisian.com.au> (raw)
In-Reply-To: <87tt0om8uz.fsf@rustcorp.com.au>
On Sat, Sep 27, 2025 at 08:59:40PM +0930, Rusty Russell wrote:
> ;OP_SEGMENT
> : This opcode remains an NOP. But it makes script parts ''composable'':
>
> ;OP_BYTEREV
> : This is the minimium requirement for constructing ordered Merkle trees as specified in Taproot.
>
> ;OP_ECPOINTADD
> : Also required for constructing Taproot spends. The varops cost is the same as a CHECKSIG operation.
>
> ;OP_INTERNALKEY
> Bitcoin script was developed long before Taproot: OP_ECPOINTADD and OP_BYTEREV are the minimal missing opcodes required for creating Taproot trees in script.
If you're trying to construct a taproot address, the formula is roughly:
T = IPK + H(IPK, ScriptRoot) * G
The above arguably give you enough capacity to calculate most of that formula, but
I don't see anything that gives the "* G" part.
> - I don't see an immediate reason for OP_ECPOINTMUL, for example, but it would not be possible in script today (due to varops limits).
Calculating T according to the above, rather than verifying the equation
is true after being given all the values, means that you can't combine
a bunch of similar calculations (including schnorr signature checks)
into a batch validation, gaining some performance benefit.
It may make more sense to have an ECPOINT_MULADD function, that verifies:
a*B + c*D = 0 (point at infinity)
where a,c are scalars and B,D are points, and OP_MULTI modifies that
to a1*B1 + a2*B2 + .. + aN*BN = 0, where ai are scalars and Bi are
points. Note that expressing "negative" values are probably desirable,
particularly -G; eg the BIP340 signature equation becomes:
s*(-G) + 1*R + H(..)*P = 0
in that model. The Taproot address check is:
(+/-)1*T = 1*IPK + H(..)*G = 0
where the sign for T is taken from the control block.
FWIW, bll does this with the `secp256k1_muladd` opcode, and example code
for verifying a taproot script against a scriptPubKey is at
https://github.com/ajtowns/bllsh/blob/master/examples/test-taproot
Cheers,
aj
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/aOOoJfCFH85AUYtp%40erisian.com.au.
next prev parent reply other threads:[~2025-10-06 11:41 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-27 8:12 [bitcoindev] [0/4] A Bitcoin Scripting Proposal BIP Quartet Rusty Russell
2025-09-27 11:27 ` [bitcoindev] [1/4] Varops Budget For Script Runtime Constraint Rusty Russell
2025-09-27 11:28 ` [bitcoindev] [2/4] Restoration of disabled script functionality (Tapscript v2) Rusty Russell
2025-09-27 11:29 ` [bitcoindev] [3/4] OP_TX Rusty Russell
2025-09-27 11:29 ` [bitcoindev] [4/4] New Opcodes for Tapscript v2 Rusty Russell
2025-09-29 22:55 ` Brandon Black
2025-10-06 11:29 ` Anthony Towns [this message]
2025-10-06 11:41 ` [bitcoindev] [3/4] OP_TX Anthony Towns
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aOOoJfCFH85AUYtp@erisian.com.au \
--to=aj@erisian$(echo .)com.au \
--cc=bitcoin-dev@rustcorp$(echo .)com.au \
--cc=bitcoindev@googlegroups.com \
--cc=julianmoik@gmail$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox