From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Sat, 23 Aug 2025 11:28:19 -0700 Received: from mail-oa1-f56.google.com ([209.85.160.56]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1upsyR-0004Fa-8p for bitcoindev@gnusha.org; Sat, 23 Aug 2025 11:28:19 -0700 Received: by mail-oa1-f56.google.com with SMTP id 586e51a60fabf-30cce8bd57esf4858524fac.1 for ; Sat, 23 Aug 2025 11:28:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1755973693; x=1756578493; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=staALKbehMU9uamsH4XuzV9aQ2ugMfkLcWdFgPTdv4c=; b=vONixePPOLP3xog2pyUroE0fXAnGynNcYlY2f95vT6jbDMB5dhpZoccL2Lw1raz0TI cRPUJ7Q3zr1VTqGEbYc3R8FFDqgYzKTBiqHo9iQfLQvFy7vqFBXzHNdeQKjX/2FTZXaY v382ogUv77MMGE3GBw1VZsR1o0XmzzKxZjOsc7slywxe+d50pG8DSG7E4fT8KD9SJMs9 H0/UEPXi36SnTNd9yH4Yo8D5W4iVTuCVUSMXXQcVGE6CL3nsTS2xNNwxIFbENqn12EdF 5W87so8XCRe9rsUNPw9x05X75Yn6dlxXVMQLOr3LQaQ06G0OUnqaJNQU5qw4H5K7JwGO Bsxw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1755973693; x=1756578493; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=staALKbehMU9uamsH4XuzV9aQ2ugMfkLcWdFgPTdv4c=; b=J2kHHCLIzcI8q5FuJQPtZ7y/RsWHZzS+0Y5NC6xmwnU3K0+Fe2ND1gYit0p7gro0F5 Jn8MSzbSXEeuYdq8MEKGkM7VLKN1NYewJ2qBeEhfPqQA7gFLoq17veGzsF/zFG9PyCFs ZGDQQptioPRbT7AAABMuwSUWqdIIrEBAiOmdIaF33O5tEMWSsRoGACWyU4iqx/XYTZHe mT/d8rTs6E7D4cJdnO/lCd3W1vz01BrV6NWTwJtJR+tPr1XWOa3l7UKTBOahn5M3XkKE +50fVOH8Q0v3WgRCp6NH6gqnouQRA1B6LxFrfzfisvvFW/TRJ1Y5C72kTIs475+/Gt1h G9wQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755973693; x=1756578493; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=staALKbehMU9uamsH4XuzV9aQ2ugMfkLcWdFgPTdv4c=; b=VqNWWSjCZ2c4bC6AxHiPFNf+r5fyzvfWmExzcMSICW8c+O4TBGKXFG6kKq6PpXXq6k jCBZhORBI/65tZRWZJqb4OUCSpLdYN1/+vEslOtC2VMHbHlF7O+jABvdC72GC1rovLLT egCKlY1tQ5gP3e62dwybbv2drT7vHip4JwXF4HME4lK3g3ezedY2/LvkT8f6XTXQKB5T AkaNhufn6NEjamSQTRvAtV6STr4peuIUmtu0fp1xs4wwdZSrirg40iRScAN9JaZ/DW4D GMLU6JREKgY4Juo5/qqvgN/lR0JwlVnz+7BoDkBHsuto1p9NqLjgLtdEgfsRVAHkkMug Rm0w== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCVZNRJR70bomkVqkP51OMIfTVKsmxq0Zxyp5CbgDCv5opAW5WKDzVv/t5Q1D7eAMIMKI3DcAbwQgyvB@gnusha.org X-Gm-Message-State: AOJu0Yxbf5vGQLrpu6FpygZKH/1LJS8DJcwyNWnzu7EHpPWqXLul/5o5 yIafIt5OFTtEy/w1jzaDgXqqpSZ4vmdFRq5jMPfvqb0TrXY9IXya8CsW X-Google-Smtp-Source: AGHT+IF24GPoyJFUTuXWsWDUbamupBuCtNJcqpgCtH0k/kOVzMPbT54ybNwWzn0f/jNfxJm70HaK6A== X-Received: by 2002:a05:6870:708c:b0:314:b6a6:6897 with SMTP id 586e51a60fabf-314dce417bfmr3240381fac.43.1755973692580; Sat, 23 Aug 2025 11:28:12 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZd3MjZZcK1qKpY96Lz173vOH6iKEohuLwHdvn+lWx0G4Q== Received: by 2002:a05:6870:c38c:b0:310:f792:61cc with SMTP id 586e51a60fabf-314c1d6b733ls1232560fac.0.-pod-prod-05-us; Sat, 23 Aug 2025 11:28:09 -0700 (PDT) X-Received: by 2002:a05:6808:2101:b0:434:231:3e2c with SMTP id 5614622812f47-43785009150mr3332951b6e.0.1755973689394; Sat, 23 Aug 2025 11:28:09 -0700 (PDT) Received: by 2002:a0d:c201:0:b0:71f:9f84:d07 with SMTP id 00721157ae682-71fdb813044ms7b3; Sat, 23 Aug 2025 11:24:36 -0700 (PDT) X-Received: by 2002:a05:690c:4983:b0:71c:b49:4886 with SMTP id 00721157ae682-71fdc3e8e88mr82304737b3.29.1755973475899; Sat, 23 Aug 2025 11:24:35 -0700 (PDT) Date: Sat, 23 Aug 2025 11:24:35 -0700 (PDT) From: jeremy To: Bitcoin Development Mailing List Message-Id: In-Reply-To: References: Subject: [bitcoindev] Re: [BIP Proposal] OP_TWEAKADD MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_125696_1801954062.1755973475610" X-Original-Sender: Jeremy.L.Rubin@gmail.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) ------=_Part_125696_1801954062.1755973475610 Content-Type: multipart/alternative; boundary="----=_Part_125697_2039191235.1755973475610" ------=_Part_125697_2039191235.1755973475610 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable realized that I accidentally didn't post a few notable examples. I've left= =20 these out of the BIP largely, but could include more examples as desired: *Tweak Reveal Scripts:* OP_TWEAKADD composes, for example, with OP_CSFS and OP_IKEY which have been= =20 proposed separately in BIP-348, BIP-349. ``` witness: program: OP_SHA256^1 OP_IKEY OP_TWEAKADD OP_CSFS ``` or ``` witness: program: OP_SHA256 OP_IKEY OP_TWEAKADD OP_CHECKSIG ``` *Proof-of-Signing-Order & Transaction "refinement":* A signs strictly after B, with B's signature fully committed.=20 ``` witness: program: DUP TOALT CHECKSIGVERIFY FROMALT SHA256 OP_TWEAKADD=20 OP_CHECKSIG ``` A is bound to B's signature, so B fixes whatever details for A. N.B. B may use any sighash combination mode, so A *refines* B's signature. *Delegation:* Key A signs tweaked by key B, key B signs whatever.=20 Key A can use a very limited (e.g. SIGHASH_NONE) sighash mode. ``` witness: program: DUP TOALT CHECKSIGVERIFY FROMALT SHA256 OP_TWEAKADD OP_CHECKSI= G ``` *Target Tweak:* proves that is known such that `tG + k1G =3D k2G` ``` witness: program: OP_TWEAKADD OP_EQUAL ``` ``` witness: program: SHA256 OP_TWEAKADD OP_EQUAL ``` Can be used, if k2G is a Taproot output, to "force" disclosure/presence of= =20 a TapTweak *Key Reveal:* Use Target Tweak to "program" a key reveal contract. Proves knowledge of discrete log of T =3D tG. Take T and compute T+G =3D (t+1)G. ``` witness: program: OP_TWEAKADD ``` [^1] OP_SHA256 in these examples prevents key-cancellation. On Saturday, August 23, 2025 at 1:36:44=E2=80=AFPM UTC-4 jeremy wrote: > Hi all, > > I've made a draft BIP writeup of an (often discussed) simple opcode,=20 > OP_TWEAKADD, deployable as an OP_SUCCESSx upgrade. > > https://github.com/bitcoin/bips/pull/1944 > > This opcode is relatively simple. The main design choices are: > > 1) Verify v.s. Push semantics -- Push, for succinctness on-chain > 2) Argument order -- Key on top, for tweak in witness > 3) Plain tweak or something else -- Plain tweak, if hashing is desirable= =20 > the user can do it. The most flexible is to do a plain tweak. Future work= =20 > could add TapTree opcodes to construct taproot tweaks. > > Feedback and discussion are welcome. > > Best, > > Jeremy > > [^1] OP_SHA256 in these example prevents key-cancellation. > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= c51c489c-9417-4a60-b642-f819ccb07b15n%40googlegroups.com. ------=_Part_125697_2039191235.1755973475610 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable realized that I accidentally didn't post a few notable examples. I've left = these out of the BIP largely, but could include more examples as desired:


Tweak Reveal Scripts:
OP_TWEAKADD composes, for example, with OP_CSFS and OP_IKEY whi= ch have been proposed separately in BIP-348, BIP-349.
```
witness: <sig> <msg> <tweak>
program: = OP_SHA256^1 OP_IKEY OP_TWEAKADD OP_CSFS
```
or
```
witness: <sig> <tweak>
program: OP_SH= A256 OP_IKEY OP_TWEAKADD OP_CHECKSIG
```



Proof-of-Signing-Order & Transa= ction "refinement":

A signs strictly = after B, with B's signature fully committed.=C2=A0

```
witness: <sig A> <sig B>
program: DU= P TOALT <B> CHECKSIGVERIFY FROMALT SHA256 <A> OP_TWEAKADD OP_CH= ECKSIG
```

A is bound to B's signature= , so B fixes whatever details for A.

N.B. B= may use any sighash combination mode, so A refines=C2=A0B's signature.


Key A signs tweaked by k= ey B, key B signs whatever.=C2=A0

Key A can use = a very limited (e.g. SIGHASH_NONE) sighash mode.

```
witness: <sig A> <sig B> <B>
program: DUP TOALT CHECKSIGVERIFY FROMALT SHA256 <A> OP_TWEA= KADD OP_CHECKSIG
```

Target T= weak:

proves that <t> is known such th= at `tG + k1G =3D k2G`

```
witness: <= ;t>
program: <k1G> OP_TWEAKADD <k2G> OP_EQUAL
```

```
witness: <t><= /div>
program: SHA256 <k1G> OP_TWEAKADD <k2G> OP_EQUAL
```
Can be used, if k2G is a Taproot output, to "forc= e" disclosure/presence of a TapTweak



Key Reveal:

Use Ta= rget Tweak to "program" a key reveal contract.

P= roves knowledge of discrete log of T =3D tG.

Tak= e T and compute T+G =3D (t+1)G.

```
wi= tness: <t>
program: <G> OP_TWEAKADD <T+G>
=
```

[^1] OP_SHA256 in these examples p= revents key-cancellation.


On Saturday, August 23, = 2025 at 1:36:44=E2=80=AFPM UTC-4 jeremy wrote:
Hi all,

I&= #39;ve made a draft BIP writeup of an (often discussed) simple opcode, OP_T= WEAKADD, deployable as an OP_SUCCESSx upgrade.

https://github.com/bitc= oin/bips/pull/1944

This opcode is relatively simple.= The main design choices are:

1) Verify v.s. Push = semantics -- Push, for succinctness on-chain
2) Argument order --= Key on top, for tweak in witness
3) Plain tweak or something els= e -- Plain tweak, if hashing is desirable the user can do it. The most flex= ible is to do a plain tweak. Future work could add TapTree opcodes to const= ruct taproot tweaks.

Feedback and discussion = are welcome.

Best,

Je= remy

[^1] OP_SHA256 in these example prevents= key-cancellation.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoind= ev/c51c489c-9417-4a60-b642-f819ccb07b15n%40googlegroups.com.
------=_Part_125697_2039191235.1755973475610-- ------=_Part_125696_1801954062.1755973475610--
Delegation: