Elliptic Curve Operations for Bitcoin Script \ stacker news ~bitdevs

Abstract This document specifies a series of Elliptic Curve opcodes for secp256k1. These opcodes permit Bitcoin Script to carry out the individual Elliptic Curve operations that are used in routine signature generation and validation. When combined with opcodes such as OP_CAT this suite of opcodes enables a higher degree of expressivity via composition, as they enable the creation of on-chain state machines, by enabling Bitcoin Script programs to recompute a Tapscript output public key, from an internal key and a tweak.

Motivation Taproot was introduced via BIP 341. One of Taproot's major improvements was the introduction of the Tapscript tree, which enabled a greater degree of privacy and expressively via the creation of an execution mode that allows developers to commit to N scripts within a Taproot output public key. A satisfying witness can then opt to reveal just the internal key and a signature, or one of the leaves with a corresponding authentication path. However, this functionality is limited as today in Bitcoin Script, a program cannot dynamically compute such a tree, nor the Taproot output key.

In order to get around this limitation, developers protecting new uses cases with OP_CAT created the "Caboose" pattern. As OP_CAT alone cannot reconstruct the Tapscript root, developers instead opted to commit to state in a P2WSH output, that commits to a simple OP_RETURN script that carries the state. This approach has a clear drawback in that it requires spending an extra output to funnel instructions into an on-chain covenant state machine. This extra output increase the size of the transaction, uses a legacy output type, and further increases the introspection Script size.

With the addition of the OP_EC_POINT_ADD, OP_EC_POINT_MUL, and OP_EC_POINT_X_COORD op codes (in concert with OP_CAT), a Bitcoin Script program gains the ability to recompute the top-level Tapscript output public key, and use that in assertions for an on-chain state machine. This creates a natural programming pattern wherein state is committed to in the left sub-tree of a Tapscript tree, while the actual program being executed is committed to in the right sub-tree. State can be verified via inclusion proofs passed into the witness, which can then be executed against the program portion in the right sub-tree.

Aside from enabling this on-chain state machine paradigm, the addition of routine Elliptic Curve op codes into Bitcoin Script enables dynamic computation related to Elliptic Curves. Example use cases include: native blinded signature verification, partial musig2 signature verification, adapter signature operations, JIT DLC computations, and generically a large class of Sigma Protocol based on Elliptic Curves.