Delivery-date: Mon, 01 Sep 2025 16:15:12 -0700 Received: from mail-oa1-f57.google.com ([209.85.160.57]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1utDjz-00021K-T2 for bitcoindev@gnusha.org; Mon, 01 Sep 2025 16:15:12 -0700 Received: by mail-oa1-f57.google.com with SMTP id 586e51a60fabf-3156c183479sf4105222fac.0 for ; Mon, 01 Sep 2025 16:15:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1756768506; x=1757373306; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=p8qviYrE8aV6+WtsL7axOLMN67gD3uuUuiqLKCTLeTY=; b=FQiNAjkczFCXy7yTZ69BSmWMzSQWrZPqWEBXY187Hrfy3BxSRbhwBz7OSAVJ08baol sLaN9qK+ivQGBnUqOow2YyfxTPF+PH47K/g1dvtO49ouaB3vFg6oolb8zBIdhEG2xYy3 NM1kzWtHKBRaubkg56f+9LKKPH2jerkxPtf5iON7/WReFRbADR/Hd4hVDwoFCLbdzUYK PQig0l6iXZMgqFI4sNU9ffyEI+U1JlUz5pIZQGpjX0EwIpn8F1LqCu7lUPe7RrZ/Fn9k hLcShQA0xTu0eSLInLgKKd2nuryn24+Yyqe3LDQ+evvjKzYx/lckyY3zoMEgk4AK7ks9 yb8A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1756768506; x=1757373306; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=p8qviYrE8aV6+WtsL7axOLMN67gD3uuUuiqLKCTLeTY=; b=Wx8yB7C6ZMXjQo1qOlEp97WCIi+YJ2TyXlKnSqHFtVog2jLZOGfTclYpEJ56OEBOTY OQtV2CQGWarYabTg+VGU3GfakroW5nkLKLWL9n1PTbCmn32oyoGUSL/X+sN5FL/W4aic 5oAmoer8axlBjj/LDR4E4hneH+CD6dITXEmBddQFvJeaUVPEFVbnNhW4ljAG1ITBnp/7 RZSCUWbzzZl6qwf7ZsjK6SOouUiBnsjxQlUua9gJANXjk5/3Jk6vlcE/ZX8RXIpKN6vJ 8WrMsROBlog3MbPh6NPuPNRl2qgzkkOVkNowFVXfjMkr/YmY+i7soTALwHMUqg4dlCCe M8bg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756768506; x=1757373306; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=p8qviYrE8aV6+WtsL7axOLMN67gD3uuUuiqLKCTLeTY=; b=Kf8x1Nl2q9dXF4liAm4q3baJPDBFRBiXWmhfC1saVg21rlfPAjWgqo6dZnb4GJ/5jy mnGsNPgW4umcjsmuLQGSryfJ2g+Ld3Z93C7Quf1DFY3JRIpSSfE4smOf8X8+ACPzBdkw bF2CkoMtZbmu4WAngyRUAICx+wePEKnp+ko5R6TnyHPioOvMVh7egBXIxRogXe7cJNUJ BTsJENP+XPgRFaux9IfSePfOtIJeL4S/OB/xi1D2I9/ZWue+xXeMh+2ShHYOg93r7MfF AvLmaUzk+wpX8SumuRlVgwX+nAazymIbY4t6L+xz4DZ7KA9A0CUWMntMpdPqju5FsQO/ tFuw== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCUNhsj721m6jJn8D30mbk+CXWjOLIPYoG5gWQ1zIV3wViCvdWAO2V95EzZCOdC7fHleedas3TqliBJ0@gnusha.org X-Gm-Message-State: AOJu0YwJ0qHhv+OYU9EhWaS6bXvlN53II70L45sPmW+afRTEFpB7GOD0 ipqTPID0Ur1//TSxsk55wfReiBPu7BjP7iKYi59S4j8MI2Hk0vSWhIdU X-Google-Smtp-Source: AGHT+IGyULQGuiBzC96EqhPFTjzh5bx82HSwkeBWF0RT/oOFk35YSoC5ZUegpslOOuFAHxdqCPAWeg== X-Received: by 2002:a05:6830:4886:b0:744:f112:e539 with SMTP id 46e09a7af769-74569ef98e5mr3705536a34.32.1756768505491; Mon, 01 Sep 2025 16:15:05 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZda/zqDEJUuFWiAb411vtYOEJD4YharxATCNK50iY29rg== Received: by 2002:a05:6871:ae06:b0:2ef:3020:be7e with SMTP id 586e51a60fabf-315961b2e29ls863071fac.1.-pod-prod-06-us; Mon, 01 Sep 2025 16:15:01 -0700 (PDT) X-Received: by 2002:a05:6808:81d2:b0:437:b08f:46f6 with SMTP id 5614622812f47-437f7ddeebemr4532312b6e.48.1756768501787; Mon, 01 Sep 2025 16:15:01 -0700 (PDT) Received: by 2002:a05:690c:998f:b0:723:969e:b18b with SMTP id 00721157ae682-723969ebc7ems7b3; Mon, 1 Sep 2025 15:43:34 -0700 (PDT) X-Received: by 2002:a05:690c:60c5:b0:721:5c65:3993 with SMTP id 00721157ae682-72276542c72mr89924527b3.50.1756766613850; Mon, 01 Sep 2025 15:43:33 -0700 (PDT) Date: Mon, 1 Sep 2025 15:43:33 -0700 (PDT) From: jeremy To: Bitcoin Development Mailing List Message-Id: <1c2539ba-d937-4a0f-b50a-5b16809322a8n@googlegroups.com> In-Reply-To: References: Subject: [bitcoindev] Re: [BIP Proposal] Elliptic Curve Operations for Bitcoin Script MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_19888_1831805090.1756766613602" X-Original-Sender: Jeremy.L.Rubin@gmail.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) ------=_Part_19888_1831805090.1756766613602 Content-Type: multipart/alternative; boundary="----=_Part_19889_521671807.1756766613602" ------=_Part_19889_521671807.1756766613602 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Noteworthy: PICK OP_EC_POINT_MUL PICK PICK OP_EC_POINT_MUL= =20 OP_EC_POINT_MUL OP_EQUALVERIFY gives the ability to do "naked" field=20 multiplication, in addition to the intended EC_MUL. Same with addition, and divide by a constant (AFAIU, via mul by inv), and= =20 any other prime field arithmetic tricks... Therefore it may make sense to add to this proposal the raw field=20 arithmetic opcodes (and perhaps u256 arith generally), as they are there=20 somewhat implicitly otherwise. As a distillable engineering principle/aphorism: what you enable, that=20 might be used commonly, should be enabled efficiently. Cheers, Jeremy On Monday, August 25, 2025 at 10:13:35=E2=80=AFPM UTC-4 jeremy wrote: > Interesting proposal and a great contrast of options v.s. OP_TWEAKADD. I= =20 > have a few notes which might strengthen this proposal: > > > I would suggest adding an operation *OP_EC_LIFT_X_EVEN* which "undos"=20 > OP_EC_POINT_X_COORD (not perfectly because of parity). This is helpful if= =20 > OP_IKEY is used. > > I would also suggest adding *OP_EC_GENERATOR* which pushes G onto the=20 > stack, rather than taking a 0 to mean G. This is more composable, as=20 > presently you have: > > > OP_EC_POINT_MUL -> Either<0, [u8;33]= > > > therefore scripts like: > > SHA256 <[0; 32]> <0> OP_EC_POINT_MUL OP_EC_POINT_MUL > > will return: h(blah) G > > rather than more straightforwardly carrying the point at infinity onwards= . > > If you instead had OP_G: > > SHA256 <[0; 32]> OP_EC_GENERATOR OP_EC_POINT_MUL OP_EC_POINT_MUL > > will return: point at infinity > > then you'd get more correct multiplication chaining. > > > This lets you implement OP_TWEAKADD as: > > > OP_EC_GENERATOR OP_EC_POINT_MUL OP_INTERNALKEY OP_EC_LIFT_X_EVEN=20 > OP_EC_POINT_ADD > v.s. > OP_IKEY OP_TWEAKADD > > > > Note: The BIP incorrectly gives: > > OP_EC_POINT_MUL # tweak*G (33-byte) > OP_EC_POINT_ADD # P + tweak*G (33-byte) > OP_EC_POINT_X_COORD # Extract x-coordinate (32-byte) > > the internal key, as specified, must be lifted first before adding. > > > > On Sunday, August 24, 2025 at 8:52:36=E2=80=AFPM UTC-4 Olaoluwa Osuntokun= wrote: > >> Hi y'all, >> >> I've just published a draft of a BIP to add Elliptic Curve operation op= =20 >> codes >> as a soft fork utilizing the existing Taproot infrastructure and current= =20 >> tap >> leaf version. >> >> My primary motivation is enabling the commutation of the top level Tapro= ot >> output public key within Bitcoin Script. Alongside introspection enablin= g=20 >> op >> codes, this enables the creation of a new flavor of on-chain state machi= ne >> within Bitcoin Script. The set of op codes is also generic enough to=20 >> enable >> several other use cases related to (optimized DLCs, partial musig2=20 >> signature >> verification, EC based sigma protocols, etc). >> >> A total of 4 op codes are proposed (each allocated from the existing >> OP_SUCCESS) range: >> * `OP_EC_POINT_ADD` >> * `OP_EC_POINT_MUL` >> * `OP_EC_POINT_NEGATE` >> * `OP_EC_POINT_X_COORD` >> >> The full BIP text can be found here:=20 >> * https://github.com/bitcoin/bips/pull/1945 >> >> A reference implementation in `btcd` can be found here: >> * https://github.com/btcsuite/btcd/pull/2413 >> >> --Laolu >> > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= 1c2539ba-d937-4a0f-b50a-5b16809322a8n%40googlegroups.com. ------=_Part_19889_521671807.1756766613602 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Noteworthy:

<zidx> PICK <G> OP_EC_POINT_MU= L <yIDX> PICK <xidx> PICK <G> OP_EC_POINT_MUL OP_EC_POINT= _MUL OP_EQUALVERIFY gives the ability to do "naked" field multiplication, i= n addition to the intended EC_MUL.

Same with add= ition, and divide by a constant (AFAIU, via mul by inv), and any other prim= e field arithmetic tricks...

Therefore it may ma= ke sense to add to this proposal the raw field arithmetic opcodes (and perh= aps u256 arith generally), as they are there somewhat implicitly otherwise.=

As a distillable engineering principle/aphorism= : what you enable, that might be used commonly, should be enabled efficient= ly.

Cheers,

Jeremy
On Monday, August 25, 2025 at 10:13:35=E2=80=AFPM UTC-4 jeremy wrote:=
Interesting = proposal and a great contrast of options v.s. OP_TWEAKADD. I have a few not= es which might strengthen this proposal:


= I would suggest adding an operation OP_EC_LIFT_X_EVEN which "un= dos" OP_EC_POINT_X_COORD (not perfectly because of parity). This is he= lpful if OP_IKEY is used.

I would also suggest add= ing OP_EC_GENERATOR which pushes G onto the stack, rather than takin= g a 0 to mean G. This is more composable, as presently you have:
=

<x: [u8;32]> <y : Either<0, [u8;33]> OP_EC_POI= NT_MUL -> Either<0, [u8;33]>

therefore scripts = like:

<blah> SHA256 <[0; 32]> <0>= ; OP_EC_POINT_MUL OP_EC_POINT_MUL

will return: h(b= lah) G

rather than more straightforwardly carrying= the point at infinity onwards.

If you instead had= OP_G:

<blah> SHA256 <[0; 32]> OP= _EC_GENERATOR OP_EC_POINT_MUL OP_EC_POINT_MUL

will= return: point at infinity

then you'd ge= t more correct multiplication chaining.


=
This lets you implement OP_TWEAKADD as:


<H> OP_EC_G= ENERATOR OP_EC_POINT_MUL OP_INTERNALKEY OP_EC_LIFT_X_EVEN OP_EC_POINT_ADDv.s.
<H> OP_IKEY OP_TWEAKADD


Note: The BIP incorrectly gives:

=
<tweak> <empty_vector> OP_EC_POINT_MUL =C2=A0# tweak= *G (33-byte)
<internal_key> OP_EC_POINT_ADD =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 # P + tweak*G (33-byte)
OP_EC_POINT_X_COORD =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0# Extract x-c= oordinate (32-byte)

the internal key, as specified= , must be lifted first before adding.



On Sunday, August 24, 2025 at 8:52:36=E2=80=AFPM UTC-4 Olaoluwa Osuntok= un wrote:
Hi y'all,

I've just published a draft of a BIP to add E= lliptic Curve operation op codes
as a soft fork utilizing the existing T= aproot infrastructure and current tap
leaf version.

My primary mo= tivation is enabling the commutation of the top level Taproot
output pub= lic key within Bitcoin Script. Alongside introspection enabling op
codes= , this enables the creation of a new flavor of on-chain state machine
wi= thin Bitcoin Script. The set of op codes is also generic enough to enableseveral other use cases related to (optimized DLCs, partial musig2 signat= ure
verification, EC based sigma protocols, etc).

A total of 4 op= codes are proposed (each allocated from the existing
OP_SUCCESS) range:=
=C2=A0 * `OP_EC_POINT_ADD`
=C2=A0 * `OP_EC_POINT_MUL`
=C2=A0 * `O= P_EC_POINT_NEGATE`
=C2=A0 * `OP_EC_POINT_X_COORD`

The full BIP te= xt can be found here:
=C2=A0* https://github.com/bitcoin/bips/pull/1945

A re= ference implementation in `btcd` can be found here:
=C2=A0 * https://github.com/btcsui= te/btcd/pull/2413

--Laolu

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoind= ev/1c2539ba-d937-4a0f-b50a-5b16809322a8n%40googlegroups.com.
------=_Part_19889_521671807.1756766613602-- ------=_Part_19888_1831805090.1756766613602--