[bitcoindev] Re: [BIP Proposal] Elliptic Curve Operations for Bitcoin Script

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

From: jeremy <jeremy.l.rubin@gmail•com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Subject: [bitcoindev] Re: [BIP Proposal] Elliptic Curve Operations for Bitcoin Script
Date: Mon, 25 Aug 2025 09:45:44 -0700 (PDT)	[thread overview]
Message-ID: <f118d974-8fd5-42b8-9105-57e215d8a14an@googlegroups.com> (raw)
In-Reply-To: <CAO3Pvs-Cwj=5vJgBfDqZGtvmoYPMrpKYFAYHRb_EqJ5i0PG0cA@mail.gmail.com>


[-- Attachment #1.1: Type: text/plain, Size: 2966 bytes --]

Interesting proposal and a great contrast of options v.s. OP_TWEAKADD. I 
have a few notes which might strengthen this proposal:


I would suggest adding an operation *OP_EC_LIFT_X_EVEN* which "undos" 
OP_EC_POINT_X_COORD (not perfectly because of parity). This is helpful if 
OP_IKEY is used.

I would also suggest adding *OP_EC_GENERATOR* which pushes G onto the 
stack, rather than taking a 0 to mean G. This is more composable, as 
presently you have:


<x: [u8;32]> <y : Either<0, [u8;33]> OP_EC_POINT_MUL -> Either<0, [u8;33]>

therefore scripts like:

<blah> SHA256 <[0; 32]> <0> OP_EC_POINT_MUL OP_EC_POINT_MUL

will return: h(blah) G

rather than more straightforwardly carrying the point at infinity onwards.

If you instead had OP_G:

<blah> SHA256 <[0; 32]> OP_EC_GENERATOR OP_EC_POINT_MUL OP_EC_POINT_MUL

will return: point at infinity

then you'd get more correct multiplication chaining.


This lets you implement OP_TWEAKADD as:


<H> OP_EC_GENERATOR OP_EC_POINT_MUL OP_INTERNALKEY OP_EC_LIFT_X_EVEN 
OP_EC_POINT_ADD
v.s.
<H> OP_IKEY OP_TWEAKADD



Note: The BIP incorrectly gives:

<tweak> <empty_vector> OP_EC_POINT_MUL  # tweak*G (33-byte)
<internal_key> OP_EC_POINT_ADD           # P + tweak*G (33-byte)
OP_EC_POINT_X_COORD                      # Extract x-coordinate (32-byte)

the internal key, as specified, must be lifted first before adding.



On Sunday, August 24, 2025 at 8:52:36 PM UTC-4 Olaoluwa Osuntokun wrote:

> Hi y'all,
>
> I've just published a draft of a BIP to add Elliptic Curve operation op 
> codes
> as a soft fork utilizing the existing Taproot infrastructure and current 
> tap
> leaf version.
>
> My primary motivation is enabling the commutation of the top level Taproot
> output public key within Bitcoin Script. Alongside introspection enabling 
> op
> codes, this enables the creation of a new flavor of on-chain state machine
> within Bitcoin Script. The set of op codes is also generic enough to enable
> several other use cases related to (optimized DLCs, partial musig2 
> signature
> verification, EC based sigma protocols, etc).
>
> A total of 4 op codes are proposed (each allocated from the existing
> OP_SUCCESS) range:
>   * `OP_EC_POINT_ADD`
>   * `OP_EC_POINT_MUL`
>   * `OP_EC_POINT_NEGATE`
>   * `OP_EC_POINT_X_COORD`
>
> The full BIP text can be found here: 
>  * https://github.com/bitcoin/bips/pull/1945
>
> A reference implementation in `btcd` can be found here:
>   * https://github.com/btcsuite/btcd/pull/2413
>
> --Laolu
>

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/f118d974-8fd5-42b8-9105-57e215d8a14an%40googlegroups.com.

[-- Attachment #1.2: Type: text/html, Size: 4598 bytes --]

     prev parent reply	other threads:[~2025-08-26  2:13 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-08-25  0:50 [bitcoindev] " Olaoluwa Osuntokun
2025-08-25 16:45 ` jeremy [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f118d974-8fd5-42b8-9105-57e215d8a14an@googlegroups.com \
    --to=jeremy.l.rubin@gmail$(echo .)com \
    --cc=bitcoindev@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox