Interesting proposal and a great contrast of options v.s. OP_TWEAKADD. I have a few notes which might strengthen this proposal:
I would suggest adding an operation OP_EC_LIFT_X_EVEN which "undos" OP_EC_POINT_X_COORD (not perfectly because of parity). This is helpful if OP_IKEY is used.
I would also suggest adding OP_EC_GENERATOR which pushes G onto the stack, rather than taking a 0 to mean G. This is more composable, as presently you have:
<x: [u8;32]> <y : Either<0, [u8;33]> OP_EC_POINT_MUL -> Either<0, [u8;33]>
therefore scripts like:
<blah> SHA256 <[0; 32]> <0> OP_EC_POINT_MUL OP_EC_POINT_MUL
will return: h(blah) G
rather than more straightforwardly carrying the point at infinity onwards.
If you instead had OP_G:
<blah> SHA256 <[0; 32]> OP_EC_GENERATOR OP_EC_POINT_MUL OP_EC_POINT_MUL
will return: point at infinity
then you'd get more correct multiplication chaining.
This lets you implement OP_TWEAKADD as:
<H> OP_EC_GENERATOR OP_EC_POINT_MUL OP_INTERNALKEY OP_EC_LIFT_X_EVEN OP_EC_POINT_ADDv.s.
<H> OP_IKEY OP_TWEAKADD
Note: The BIP incorrectly gives:
<tweak> <empty_vector> OP_EC_POINT_MUL # tweak*G (33-byte)
<internal_key> OP_EC_POINT_ADD # P + tweak*G (33-byte)
OP_EC_POINT_X_COORD # Extract x-coordinate (32-byte)
the internal key, as specified, must be lifted first before adding.
On Sunday, August 24, 2025 at 8:52:36 PM UTC-4 Olaoluwa Osuntokun wrote:
Hi y'all,
I've just published a draft of a BIP to add Elliptic Curve operation op codes
as a soft fork utilizing the existing Taproot infrastructure and current tap
leaf version.
My primary motivation is enabling the commutation of the top level Taproot
output public key within Bitcoin Script. Alongside introspection enabling op
codes, this enables the creation of a new flavor of on-chain state machine
within Bitcoin Script. The set of op codes is also generic enough to enable
several other use cases related to (optimized DLCs, partial musig2 signature
verification, EC based sigma protocols, etc).
A total of 4 op codes are proposed (each allocated from the existing
OP_SUCCESS) range:
* `OP_EC_POINT_ADD`
* `OP_EC_POINT_MUL`
* `OP_EC_POINT_NEGATE`
* `OP_EC_POINT_X_COORD`
The full BIP text can be found here:
*
https://github.com/bitcoin/bips/pull/1945A reference implementation in `btcd` can be found here:
*
https://github.com/btcsuite/btcd/pull/2413--Laolu
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/f118d974-8fd5-42b8-9105-57e215d8a14an%40googlegroups.com.