From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 25 Aug 2025 19:13:42 -0700 Received: from mail-oa1-f62.google.com ([209.85.160.62]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1uqjBt-0004Po-Lr for bitcoindev@gnusha.org; Mon, 25 Aug 2025 19:13:42 -0700 Received: by mail-oa1-f62.google.com with SMTP id 586e51a60fabf-30cce8c0df0sf11584852fac.1 for ; Mon, 25 Aug 2025 19:13:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1756174415; x=1756779215; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=fx372Ksm7iiEaZiAqDzuzqGZxwO1HGN09KdqwMUR+QA=; b=Kaa2xQFGQGa3JzWXQogUYZxCOHILVNWmv24F8x/Y0IxXx9qgaxh8gSRZ2l3ubFoOIz gLBA7xBPZfv5tgpJKuWRLholw3DFnJtf9CgLbgUru2uhvr6mXSe7ZpPYeSPtUiZ2sFGO OaiWx5XTeJXHRJNPX2VLZVGAVvZQO3nHlsktGmSq4HNVvwUoSXeCWYiCqZLR4dC06/n0 9j6YfC4eelctTeK/pOmahhqtWhP4scp7By8d+WZKckqqaGzUa5lRziI1ssDPyjz081D+ xifF7HWCR+F+6WBxEJGOvt9IBGW9RWwXccip/fPEGygUxvajyYnjyAln9Bd9/WKXFEPW L/zg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1756174415; x=1756779215; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=fx372Ksm7iiEaZiAqDzuzqGZxwO1HGN09KdqwMUR+QA=; b=YFkZGj6w5poSKrIiYJivpZQAGx/9/SbMdT3BfhyfwtEz1lKjx0f62q9lP7Fv09vlFO idYOFA8z91/mJ6bAA1DcBD0n6wsLrqp60g8hQn5mUcuym//PCxQJjoJ7G90Cg3EUylWq 4sMTAq4CpKT5cvE0xALtWbjDsZZYgRg5zE5PT6YejAecIuX+u+jo4UJJ249yjuotyhsA Pg2HPQ3NhuV5QpNPA2tGndpvSvap1kDyYgiav4VP6EGjg5yXdXwRDPobm5nHy8Ygx78m d1n2t6KvVSUBKrwYN/8cIn06b6Wu1i5/r4KlLlV9WkeJyrhv8y49uSJUs9H4KbIHnWi8 wYGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756174415; x=1756779215; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=fx372Ksm7iiEaZiAqDzuzqGZxwO1HGN09KdqwMUR+QA=; b=n36r/6WjQYYPQGrSbkVAQ25cVf4FTrQm/aoP+7DRRHr8gOJBKad1uQkXO31oDDdDoz Asm+DzBmISR5G2wnPf4aqMW9FX5caK5WW8XJtYFL2F1UPFBOR7NP0iJ4YVSzdwZIUhvg goR8klyXiLUHEWzP4+xAZvjb30b0Ijxk19Nwmg3O7zmvenluEfHBOL5jxPDuzhTWsbdc MKsw1pZiDSKJgK3rQqPhnaYoUl4wEYVJrTjz3Y8LBLMK9YztsO7Ae8qWwtgElGX7eAqb EKljYDNWTGKiuJ+SR8pYUwYu/4P9Xhq9nYsiMtO3Zq00qK1QOSOFVSo7eCk/sD7wXZh8 6jUQ== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCVM1voXMAASf5nSjfpnjguoOdxgJ1nDUf6tvGu0REGeZCLOZA6nHX0zah5vmjisHJLsssRkRT1b+Gmo@gnusha.org X-Gm-Message-State: AOJu0YxWkELZdFFB7yjPubRcI6qW/3gH+WpFcLd2qPBgGmc+OulRtRRJ BEvwjz9mIlgE1TneFncx6w9WFoF1hB8AD+8jgZEGf1PqDwOWLU4HvEFe X-Google-Smtp-Source: AGHT+IFE6oASZQOpkWvl+NLL/G5x7FzUpED3PVnV+U35ht72x5ybL4Ysd/5QFw/XVLWZO9l4gNCi9A== X-Received: by 2002:a05:6870:d0c6:b0:2ff:a996:3b50 with SMTP id 586e51a60fabf-314dcbd1cb3mr6684317fac.22.1756174414969; Mon, 25 Aug 2025 19:13:34 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZfvxpy/Df0nAStQPr5EhFrE8IBGsvI7BLBOuTc/vIQJbg== Received: by 2002:a05:687c:2bcc:b0:2ff:aac3:cfa7 with SMTP id 586e51a60fabf-31120cdd543ls1045088fac.0.-pod-prod-00-us-canary; Mon, 25 Aug 2025 19:13:30 -0700 (PDT) X-Received: by 2002:a05:6808:1b12:b0:437:75ea:6c78 with SMTP id 5614622812f47-437be07a024mr908727b6e.21.1756174410440; Mon, 25 Aug 2025 19:13:30 -0700 (PDT) Received: by 2002:a0d:c201:0:b0:71f:9f84:d07 with SMTP id 00721157ae682-71fdb813044ms7b3; Mon, 25 Aug 2025 09:45:45 -0700 (PDT) X-Received: by 2002:a05:690c:6186:b0:71c:3e81:cca2 with SMTP id 00721157ae682-721269d6b4cmr3840357b3.1.1756140344299; Mon, 25 Aug 2025 09:45:44 -0700 (PDT) Date: Mon, 25 Aug 2025 09:45:44 -0700 (PDT) From: jeremy To: Bitcoin Development Mailing List Message-Id: In-Reply-To: References: Subject: [bitcoindev] Re: [BIP Proposal] Elliptic Curve Operations for Bitcoin Script MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_16958_689510448.1756140344043" X-Original-Sender: Jeremy.L.Rubin@gmail.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) ------=_Part_16958_689510448.1756140344043 Content-Type: multipart/alternative; boundary="----=_Part_16959_1634688603.1756140344043" ------=_Part_16959_1634688603.1756140344043 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Interesting proposal and a great contrast of options v.s. OP_TWEAKADD. I=20 have a few notes which might strengthen this proposal: I would suggest adding an operation *OP_EC_LIFT_X_EVEN* which "undos"=20 OP_EC_POINT_X_COORD (not perfectly because of parity). This is helpful if= =20 OP_IKEY is used. I would also suggest adding *OP_EC_GENERATOR* which pushes G onto the=20 stack, rather than taking a 0 to mean G. This is more composable, as=20 presently you have: OP_EC_POINT_MUL -> Either<0, [u8;33]> therefore scripts like: SHA256 <[0; 32]> <0> OP_EC_POINT_MUL OP_EC_POINT_MUL will return: h(blah) G rather than more straightforwardly carrying the point at infinity onwards. If you instead had OP_G: SHA256 <[0; 32]> OP_EC_GENERATOR OP_EC_POINT_MUL OP_EC_POINT_MUL will return: point at infinity then you'd get more correct multiplication chaining. This lets you implement OP_TWEAKADD as: OP_EC_GENERATOR OP_EC_POINT_MUL OP_INTERNALKEY OP_EC_LIFT_X_EVEN=20 OP_EC_POINT_ADD v.s. OP_IKEY OP_TWEAKADD Note: The BIP incorrectly gives: OP_EC_POINT_MUL # tweak*G (33-byte) OP_EC_POINT_ADD # P + tweak*G (33-byte) OP_EC_POINT_X_COORD # Extract x-coordinate (32-byte) the internal key, as specified, must be lifted first before adding. On Sunday, August 24, 2025 at 8:52:36=E2=80=AFPM UTC-4 Olaoluwa Osuntokun w= rote: > Hi y'all, > > I've just published a draft of a BIP to add Elliptic Curve operation op= =20 > codes > as a soft fork utilizing the existing Taproot infrastructure and current= =20 > tap > leaf version. > > My primary motivation is enabling the commutation of the top level Taproo= t > output public key within Bitcoin Script. Alongside introspection enabling= =20 > op > codes, this enables the creation of a new flavor of on-chain state machin= e > within Bitcoin Script. The set of op codes is also generic enough to enab= le > several other use cases related to (optimized DLCs, partial musig2=20 > signature > verification, EC based sigma protocols, etc). > > A total of 4 op codes are proposed (each allocated from the existing > OP_SUCCESS) range: > * `OP_EC_POINT_ADD` > * `OP_EC_POINT_MUL` > * `OP_EC_POINT_NEGATE` > * `OP_EC_POINT_X_COORD` > > The full BIP text can be found here:=20 > * https://github.com/bitcoin/bips/pull/1945 > > A reference implementation in `btcd` can be found here: > * https://github.com/btcsuite/btcd/pull/2413 > > --Laolu > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= f118d974-8fd5-42b8-9105-57e215d8a14an%40googlegroups.com. ------=_Part_16959_1634688603.1756140344043 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Interesting proposal and a great contrast of options v.s. OP_TWEAKADD. I ha= ve a few notes which might strengthen this proposal:

<= br />
I would suggest adding an operation OP_EC_LIFT_X_EVEN which "undos" OP_EC_POINT_X_COORD (not perfectly because of parity). This= is helpful if OP_IKEY is used.

I would also sug= gest adding OP_EC_GENERATOR which pushes G onto the stack, rather th= an taking a 0 to mean G. This is more composable, as presently you have:


<x: [u8;32]> <y : Either<0, [u8;33]&g= t; OP_EC_POINT_MUL -> Either<0, [u8;33]>

ther= efore scripts like:

<blah> SHA256 <[0; = 32]> <0> OP_EC_POINT_MUL OP_EC_POINT_MUL

will return: h(blah) G

rather than more straig= htforwardly carrying the point at infinity onwards.

<= div>If you instead had OP_G:

<blah> S= HA256 <[0; 32]> OP_EC_GENERATOR OP_EC_POINT_MUL OP_EC_POINT_MUL
=

will return: point at infinity

=
then you'd get more correct multiplication chaining.
<= br />

This lets you implement OP_TWEAKADD as:

<H> OP_EC_GENERATOR OP_EC_POINT_MUL OP_INTERNALKEY OP_= EC_LIFT_X_EVEN OP_EC_POINT_ADD
v.s.
<H> OP_IKEY OP_TWEA= KADD



Note: The= BIP incorrectly gives:

<tweak> <empty_= vector> OP_EC_POINT_MUL =C2=A0# tweak*G (33-byte)
<internal_key&= gt; OP_EC_POINT_ADD =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 # P + tweak*G (33-by= te)
OP_EC_POINT_X_COORD =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0# Extract x-coordinate (32-byte)
<= br />
the internal key, as specified, must be lifted first before= adding.



On Sunday, August 2= 4, 2025 at 8:52:36=E2=80=AFPM UTC-4 Olaoluwa Osuntokun wrote:
Hi y'= all,

I've just published a draft of a BIP to add Elliptic Curve = operation op codes
as a soft fork utilizing the existing Taproot infrast= ructure and current tap
leaf version.

My primary motivation is en= abling the commutation of the top level Taproot
output public key within= Bitcoin Script. Alongside introspection enabling op
codes, this enables= the creation of a new flavor of on-chain state machine
within Bitcoin S= cript. The set of op codes is also generic enough to enable
several othe= r use cases related to (optimized DLCs, partial musig2 signature
verific= ation, EC based sigma protocols, etc).

A total of 4 op codes are pro= posed (each allocated from the existing
OP_SUCCESS) range:
=C2=A0 * `= OP_EC_POINT_ADD`
=C2=A0 * `OP_EC_POINT_MUL`
=C2=A0 * `OP_EC_POINT_NEG= ATE`
=C2=A0 * `OP_EC_POINT_X_COORD`

The full BIP text can be foun= d here:
=C2=A0* https://github.com/bitcoin/bips/pull/1945

A reference implem= entation in `btcd` can be found here:
=C2=A0 * https://github.com/btcsuite/btcd/pull/2= 413

--Laolu

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoind= ev/f118d974-8fd5-42b8-9105-57e215d8a14an%40googlegroups.com.
------=_Part_16959_1634688603.1756140344043-- ------=_Part_16958_689510448.1756140344043--