1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
|
Delivery-date: Mon, 25 Aug 2025 19:13:42 -0700
Received: from mail-oa1-f62.google.com ([209.85.160.62])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBD7O3WHWY4JRBSVQWTCQMGQE4ZL2VUI@googlegroups.com>)
id 1uqjBt-0004Po-Lr
for bitcoindev@gnusha.org; Mon, 25 Aug 2025 19:13:42 -0700
Received: by mail-oa1-f62.google.com with SMTP id 586e51a60fabf-30cce8c0df0sf11584852fac.1
for <bitcoindev@gnusha.org>; Mon, 25 Aug 2025 19:13:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1756174415; x=1756779215; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:sender:from
:to:cc:subject:date:message-id:reply-to;
bh=fx372Ksm7iiEaZiAqDzuzqGZxwO1HGN09KdqwMUR+QA=;
b=Kaa2xQFGQGa3JzWXQogUYZxCOHILVNWmv24F8x/Y0IxXx9qgaxh8gSRZ2l3ubFoOIz
gLBA7xBPZfv5tgpJKuWRLholw3DFnJtf9CgLbgUru2uhvr6mXSe7ZpPYeSPtUiZ2sFGO
OaiWx5XTeJXHRJNPX2VLZVGAVvZQO3nHlsktGmSq4HNVvwUoSXeCWYiCqZLR4dC06/n0
9j6YfC4eelctTeK/pOmahhqtWhP4scp7By8d+WZKckqqaGzUa5lRziI1ssDPyjz081D+
xifF7HWCR+F+6WBxEJGOvt9IBGW9RWwXccip/fPEGygUxvajyYnjyAln9Bd9/WKXFEPW
L/zg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1756174415; x=1756779215; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:from:to:cc
:subject:date:message-id:reply-to;
bh=fx372Ksm7iiEaZiAqDzuzqGZxwO1HGN09KdqwMUR+QA=;
b=YFkZGj6w5poSKrIiYJivpZQAGx/9/SbMdT3BfhyfwtEz1lKjx0f62q9lP7Fv09vlFO
idYOFA8z91/mJ6bAA1DcBD0n6wsLrqp60g8hQn5mUcuym//PCxQJjoJ7G90Cg3EUylWq
4sMTAq4CpKT5cvE0xALtWbjDsZZYgRg5zE5PT6YejAecIuX+u+jo4UJJ249yjuotyhsA
Pg2HPQ3NhuV5QpNPA2tGndpvSvap1kDyYgiav4VP6EGjg5yXdXwRDPobm5nHy8Ygx78m
d1n2t6KvVSUBKrwYN/8cIn06b6Wu1i5/r4KlLlV9WkeJyrhv8y49uSJUs9H4KbIHnWi8
wYGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1756174415; x=1756779215;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:x-beenthere
:x-gm-message-state:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=fx372Ksm7iiEaZiAqDzuzqGZxwO1HGN09KdqwMUR+QA=;
b=n36r/6WjQYYPQGrSbkVAQ25cVf4FTrQm/aoP+7DRRHr8gOJBKad1uQkXO31oDDdDoz
Asm+DzBmISR5G2wnPf4aqMW9FX5caK5WW8XJtYFL2F1UPFBOR7NP0iJ4YVSzdwZIUhvg
goR8klyXiLUHEWzP4+xAZvjb30b0Ijxk19Nwmg3O7zmvenluEfHBOL5jxPDuzhTWsbdc
MKsw1pZiDSKJgK3rQqPhnaYoUl4wEYVJrTjz3Y8LBLMK9YztsO7Ae8qWwtgElGX7eAqb
EKljYDNWTGKiuJ+SR8pYUwYu/4P9Xhq9nYsiMtO3Zq00qK1QOSOFVSo7eCk/sD7wXZh8
6jUQ==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=1; AJvYcCVM1voXMAASf5nSjfpnjguoOdxgJ1nDUf6tvGu0REGeZCLOZA6nHX0zah5vmjisHJLsssRkRT1b+Gmo@gnusha.org
X-Gm-Message-State: AOJu0YxWkELZdFFB7yjPubRcI6qW/3gH+WpFcLd2qPBgGmc+OulRtRRJ
BEvwjz9mIlgE1TneFncx6w9WFoF1hB8AD+8jgZEGf1PqDwOWLU4HvEFe
X-Google-Smtp-Source: AGHT+IFE6oASZQOpkWvl+NLL/G5x7FzUpED3PVnV+U35ht72x5ybL4Ysd/5QFw/XVLWZO9l4gNCi9A==
X-Received: by 2002:a05:6870:d0c6:b0:2ff:a996:3b50 with SMTP id 586e51a60fabf-314dcbd1cb3mr6684317fac.22.1756174414969;
Mon, 25 Aug 2025 19:13:34 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZfvxpy/Df0nAStQPr5EhFrE8IBGsvI7BLBOuTc/vIQJbg==
Received: by 2002:a05:687c:2bcc:b0:2ff:aac3:cfa7 with SMTP id
586e51a60fabf-31120cdd543ls1045088fac.0.-pod-prod-00-us-canary; Mon, 25 Aug
2025 19:13:30 -0700 (PDT)
X-Received: by 2002:a05:6808:1b12:b0:437:75ea:6c78 with SMTP id 5614622812f47-437be07a024mr908727b6e.21.1756174410440;
Mon, 25 Aug 2025 19:13:30 -0700 (PDT)
Received: by 2002:a0d:c201:0:b0:71f:9f84:d07 with SMTP id 00721157ae682-71fdb813044ms7b3;
Mon, 25 Aug 2025 09:45:45 -0700 (PDT)
X-Received: by 2002:a05:690c:6186:b0:71c:3e81:cca2 with SMTP id 00721157ae682-721269d6b4cmr3840357b3.1.1756140344299;
Mon, 25 Aug 2025 09:45:44 -0700 (PDT)
Date: Mon, 25 Aug 2025 09:45:44 -0700 (PDT)
From: jeremy <jeremy.l.rubin@gmail.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <f118d974-8fd5-42b8-9105-57e215d8a14an@googlegroups.com>
In-Reply-To: <CAO3Pvs-Cwj=5vJgBfDqZGtvmoYPMrpKYFAYHRb_EqJ5i0PG0cA@mail.gmail.com>
References: <CAO3Pvs-Cwj=5vJgBfDqZGtvmoYPMrpKYFAYHRb_EqJ5i0PG0cA@mail.gmail.com>
Subject: [bitcoindev] Re: [BIP Proposal] Elliptic Curve Operations for Bitcoin Script
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_16958_689510448.1756140344043"
X-Original-Sender: Jeremy.L.Rubin@gmail.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)
------=_Part_16958_689510448.1756140344043
Content-Type: multipart/alternative;
boundary="----=_Part_16959_1634688603.1756140344043"
------=_Part_16959_1634688603.1756140344043
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Interesting proposal and a great contrast of options v.s. OP_TWEAKADD. I=20
have a few notes which might strengthen this proposal:
I would suggest adding an operation *OP_EC_LIFT_X_EVEN* which "undos"=20
OP_EC_POINT_X_COORD (not perfectly because of parity). This is helpful if=
=20
OP_IKEY is used.
I would also suggest adding *OP_EC_GENERATOR* which pushes G onto the=20
stack, rather than taking a 0 to mean G. This is more composable, as=20
presently you have:
<x: [u8;32]> <y : Either<0, [u8;33]> OP_EC_POINT_MUL -> Either<0, [u8;33]>
therefore scripts like:
<blah> SHA256 <[0; 32]> <0> OP_EC_POINT_MUL OP_EC_POINT_MUL
will return: h(blah) G
rather than more straightforwardly carrying the point at infinity onwards.
If you instead had OP_G:
<blah> SHA256 <[0; 32]> OP_EC_GENERATOR OP_EC_POINT_MUL OP_EC_POINT_MUL
will return: point at infinity
then you'd get more correct multiplication chaining.
This lets you implement OP_TWEAKADD as:
<H> OP_EC_GENERATOR OP_EC_POINT_MUL OP_INTERNALKEY OP_EC_LIFT_X_EVEN=20
OP_EC_POINT_ADD
v.s.
<H> OP_IKEY OP_TWEAKADD
Note: The BIP incorrectly gives:
<tweak> <empty_vector> OP_EC_POINT_MUL # tweak*G (33-byte)
<internal_key> OP_EC_POINT_ADD # P + tweak*G (33-byte)
OP_EC_POINT_X_COORD # Extract x-coordinate (32-byte)
the internal key, as specified, must be lifted first before adding.
On Sunday, August 24, 2025 at 8:52:36=E2=80=AFPM UTC-4 Olaoluwa Osuntokun w=
rote:
> Hi y'all,
>
> I've just published a draft of a BIP to add Elliptic Curve operation op=
=20
> codes
> as a soft fork utilizing the existing Taproot infrastructure and current=
=20
> tap
> leaf version.
>
> My primary motivation is enabling the commutation of the top level Taproo=
t
> output public key within Bitcoin Script. Alongside introspection enabling=
=20
> op
> codes, this enables the creation of a new flavor of on-chain state machin=
e
> within Bitcoin Script. The set of op codes is also generic enough to enab=
le
> several other use cases related to (optimized DLCs, partial musig2=20
> signature
> verification, EC based sigma protocols, etc).
>
> A total of 4 op codes are proposed (each allocated from the existing
> OP_SUCCESS) range:
> * `OP_EC_POINT_ADD`
> * `OP_EC_POINT_MUL`
> * `OP_EC_POINT_NEGATE`
> * `OP_EC_POINT_X_COORD`
>
> The full BIP text can be found here:=20
> * https://github.com/bitcoin/bips/pull/1945
>
> A reference implementation in `btcd` can be found here:
> * https://github.com/btcsuite/btcd/pull/2413
>
> --Laolu
>
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
f118d974-8fd5-42b8-9105-57e215d8a14an%40googlegroups.com.
------=_Part_16959_1634688603.1756140344043
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Interesting proposal and a great contrast of options v.s. OP_TWEAKADD. I ha=
ve a few notes which might strengthen this proposal:<div><br /></div><div><=
br /></div><div>I would suggest adding an operation <b>OP_EC_LIFT_X_EVEN</b=
> which "undos" OP_EC_POINT_X_COORD (not perfectly because of parity). This=
is helpful if OP_IKEY is used.</div><div><br /></div><div>I would also sug=
gest adding <b>OP_EC_GENERATOR</b> which pushes G onto the stack, rather th=
an taking a 0 to mean G. This is more composable, as presently you have:</d=
iv><div><br /></div><br /><x: [u8;32]> <y : Either<0, [u8;33]&g=
t; OP_EC_POINT_MUL -> Either<0, [u8;33]><div><br /></div><div>ther=
efore scripts like:</div><div><br /></div><div><blah> SHA256 <[0; =
32]> <0> OP_EC_POINT_MUL OP_EC_POINT_MUL</div><div><br /></div><di=
v>will return: h(blah) G</div><div><br /></div><div>rather than more straig=
htforwardly carrying the point at infinity onwards.</div><div><br /></div><=
div>If you instead had OP_G:</div><div><br /></div><div><div><blah> S=
HA256 <[0; 32]> OP_EC_GENERATOR OP_EC_POINT_MUL OP_EC_POINT_MUL</div>=
<div><br /></div><div>will return: point at infinity</div><div><br /></div>=
</div><div>then you'd get more correct multiplication chaining.</div><div><=
br /></div><div><br /></div><div>This lets you implement OP_TWEAKADD as:</d=
iv><br /><br /><H> OP_EC_GENERATOR OP_EC_POINT_MUL OP_INTERNALKEY OP_=
EC_LIFT_X_EVEN OP_EC_POINT_ADD<div>v.s.</div><div><H> OP_IKEY OP_TWEA=
KADD</div><div><br /></div><div><br /></div><div><br /></div><div>Note: The=
BIP incorrectly gives:</div><div><br /></div><div><tweak> <empty_=
vector> OP_EC_POINT_MUL =C2=A0# tweak*G (33-byte)<br /><internal_key&=
gt; OP_EC_POINT_ADD =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 # P + tweak*G (33-by=
te)<br />OP_EC_POINT_X_COORD =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0# Extract x-coordinate (32-byte)</div><div><=
br /></div><div>the internal key, as specified, must be lifted first before=
adding.</div><div><br /></div><div><br /></div><div><br /></div><div class=
=3D"gmail_quote"><div dir=3D"auto" class=3D"gmail_attr">On Sunday, August 2=
4, 2025 at 8:52:36=E2=80=AFPM UTC-4 Olaoluwa Osuntokun wrote:<br/></div><bl=
ockquote class=3D"gmail_quote" style=3D"margin: 0 0 0 0.8ex; border-left: 1=
px solid rgb(204, 204, 204); padding-left: 1ex;"><div dir=3D"ltr">Hi y'=
all,<br><br>I've just published a draft of a BIP to add Elliptic Curve =
operation op codes<br>as a soft fork utilizing the existing Taproot infrast=
ructure and current tap<br>leaf version.<br><br>My primary motivation is en=
abling the commutation of the top level Taproot<br>output public key within=
Bitcoin Script. Alongside introspection enabling op<br>codes, this enables=
the creation of a new flavor of on-chain state machine<br>within Bitcoin S=
cript. The set of op codes is also generic enough to enable<br>several othe=
r use cases related to (optimized DLCs, partial musig2 signature<br>verific=
ation, EC based sigma protocols, etc).<br><br>A total of 4 op codes are pro=
posed (each allocated from the existing<br>OP_SUCCESS) range:<br>=C2=A0 * `=
OP_EC_POINT_ADD`<br>=C2=A0 * `OP_EC_POINT_MUL`<br>=C2=A0 * `OP_EC_POINT_NEG=
ATE`<br>=C2=A0 * `OP_EC_POINT_X_COORD`<br><br>The full BIP text can be foun=
d here: <br>=C2=A0* <a href=3D"https://github.com/bitcoin/bips/pull/1945" t=
arget=3D"_blank" rel=3D"nofollow" data-saferedirecturl=3D"https://www.googl=
e.com/url?hl=3Den&q=3Dhttps://github.com/bitcoin/bips/pull/1945&sou=
rce=3Dgmail&ust=3D1756224893358000&usg=3DAOvVaw3yoGsxNhx7v1-_-6SiUD=
P9">https://github.com/bitcoin/bips/pull/1945</a><br><br>A reference implem=
entation in `btcd` can be found here:<br>=C2=A0 * <a href=3D"https://github=
.com/btcsuite/btcd/pull/2413" target=3D"_blank" rel=3D"nofollow" data-safer=
edirecturl=3D"https://www.google.com/url?hl=3Den&q=3Dhttps://github.com=
/btcsuite/btcd/pull/2413&source=3Dgmail&ust=3D1756224893358000&=
usg=3DAOvVaw08siXu-GBNocvEFYt5JacM">https://github.com/btcsuite/btcd/pull/2=
413</a><br><br>--Laolu<br></div>
</blockquote></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List" group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/f118d974-8fd5-42b8-9105-57e215d8a14an%40googlegroups.com?utm_med=
ium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msgid/bitcoind=
ev/f118d974-8fd5-42b8-9105-57e215d8a14an%40googlegroups.com</a>.<br />
------=_Part_16959_1634688603.1756140344043--
------=_Part_16958_689510448.1756140344043--
|
