BIP449: OP_TWEAKADD#1944
Conversation
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
murchandamus
left a comment
There was a problem hiding this comment.
I had a first glance at this. Looks interesting. A few sections look still a bit bullet point heavy and I would hope to see them expanded a bit.
There was a problem hiding this comment.
Hey, this hasn’t seen any activity in a while and is still marked as a draft pull request. What is the status of this?
If this is ready for another editor review, please mark the pull request as Ready for Review. It would also be welcome if it got some review from third parties.
|
I think it's fine to come out of draft. |
murchandamus
left a comment
There was a problem hiding this comment.
The Rationale still seems a bit brief to me, but I would expect that it would be backfilled with the responses to the questions and issues raised as this proposal gets more review. Would be great if some other covenant researchers took a look at it. Otherwise the idea generally seems well described.
cc: @brandonblack, @ajtowns, @roconnor-blockstream, @moonsettler, @Roasbeef for some likely candidates to take a look.
| - Infinity outputs are rejected to avoid invalid keys. | ||
| - Functionality is narrowly scoped to Taproot-style tweaks, avoiding arbitrary EC arithmetic. | ||
| - Push opcode rather than verification opcode for script compactness. | ||
| - Argument order to permit tweak from witness onto fixed key without OP_SWAP. |
There was a problem hiding this comment.
Argument order to permit tweak from witness onto fixed key without OP_SWAP
This sentence is not clear to me. Perhaps it could use more context.
There was a problem hiding this comment.
see the email thread https://groups.google.com/g/bitcoindev/c/-_geIB25zrg
so OP_TWEAKADD can be either be <tweak> <key> or <key> <tweak>.
we use:
<key> OP_TWEAKADD
because we assume that commonly keys will come from the script, and tweaks will come from the witness.
This avoids an op_SWAP in most cases shown in the email examples.
| This is a soft-fork change which is tapscript-only. Un-upgraded nodes will continue | ||
| to treat unknown tapscript opcode as OP_SUCCESSx. | ||
|
|
||
| A future upgrade, such as an OP_CAT or OP_TAPTREE opcode, can prepare a tweak for a |
There was a problem hiding this comment.
What is OP_TAPTREE? I don’t think I’ve seen that one before.
There was a problem hiding this comment.
Stand-in for "some opcode that can work with taproot trees".
|
Without any additional opcodes the supported use cases seem to be:
Also along with #1974 TA could be used instead of the annex for data availability, by tweaking the internal key with the data required to reconstruct the script for that state. Something like |
|
Let’s refer to this as BIP 449. Please update the BIP and Assigned headers in the Preamble, rename the file, and add a table entry to the README file for your proposal. |
|
Thanks for the assignment! @murchandamus re rationale/motivation, see the email thread. https://groups.google.com/g/bitcoindev/c/-_geIB25zrg |
|
You’re welcome. My point was that the relevant information from the email thread and the pull request discussions should be added to your document, so that your document contains the relevant context and is self-explanatory. Could you please also update the BIP and Assigned headers in the Preamble, rename the file, and add a table entry to the README file for your proposal? |
|
It's really thin on the motivation.
Is probably the most vague way possible to describe what it does in a practical sense in tapscript and possibly in restored script. |
|
I think I made all the requested edits. I also added a use case on how to use TWEAKADD for PAIRCOMMIT @moonsettler would appreciate your review on that in particular that my design is sound, was a little tricky. |
Looks good to me. |
| ``` | ||
| ## Abstract | ||
|
|
||
| This proposal defines a new tapscript opcode, `OP_TWEAKADD`, that takes an x-only public key and a 32-byte integer `t` on the stack and pushes the x-only public key corresponding to `P + t*G`, where `P` is the lifted point for the input x-coordinate and `G` is the secp256k1 generator. The operation mirrors the Taproot tweak used by BIP340 signers and enables simple, verifiable key modifications inside script without revealing private keys or relying on hash locks. |
There was a problem hiding this comment.
takes an x-only public key
@JeremyRubin regarding the following question by @Roasbeef in https://groups.google.com/g/bitcoindev/c/-_geIB25zrg/m/AlKbHMl9BgAJ, perhaps I missed it but didn't see it addressed in the ML thread, unsure if the BIP was updated somewhat in response.
First, why accept only x-only keys?
From the PoV of Bitcoin Script today, they aren't used anywhere within the
execution environment. They also add some complexity to protocols that need
to accept them as input for further manipulation. They are indeed used for
Taproot output public keys, but those keys don't ever make their way down
into Script as an op code argument.
The musig2 BIP originally accepted x-only keys as input, but was switched to
instead accept normal compressed public keys in version v0.8.0 [1]. The
switch over enabled some simplifications in the BIP, as it enabled
eliminating one of the accumulator variables. For more details, see the
discussion that led to this change [2].
This comment from Tim resonates with my experience wrangling with bugs
introduced by improper/implicit handling of x-only keys over the years:
> Sigh yeah, x-only keys save a byte on chain but it seems the price we pay
> is a high engineering complexity. I think it's fair to say that noone had
> really anticipated this [1].
There was a problem hiding this comment.
@Roasbeef followed up himself with
https://groups.google.com/g/bitcoindev/c/-_geIB25zrg/m/ypVpdVKZAQAJ
Allowing parity-bearing public keys would not be encoding-malleable for full points, but it would undermine the x-only canonicalization property. If both the point sign and tweak are witness-controllable, (P, t) and (-P, n−t) yield the same x-only result, creating a new witness malleability vector.
Also, depending on how we add the parity argument, we might want to have OP_IKEY compatibility, making this a more sweeping change.
@Roasbeef himself has a separate proposal for EC Ops that better solve for that use case. TWEAKADD attempts to be maximally faithful to what taproot does.
| Status: Draft | ||
| Type: Specification | ||
| Assigned: 2026-03-05 | ||
| License: BSD-3-Clause |
There was a problem hiding this comment.
Could add the Requires header stating the BIPs that this one depends on (340, maybe 341)
Requires: 340
There was a problem hiding this comment.
not sure I understand the Requires header well enough to add it.
I would assume it would be only meaningful with respect to BIPs that are not currently consensus-active?
| [dependencies] | ||
| secp256k1 = "0.29" | ||
| hex = "0.4" | ||
| bitcoin_hashes = "0.16.0" |
There was a problem hiding this comment.
cargo run worked fine
for info, when I made the suggested cargo updates
-secp256k1 = "0.29"
+secp256k1 = "0.31.1"
hex = "0.4"
-bitcoin_hashes = "0.16.0"
+bitcoin_hashes = "0.20.0"the code looks like it would need to be updated for API changes in secp256k1.
There was a problem hiding this comment.
i.e. cargo asked if you'd like to update? but it worked fine without?
Probably need a bip repo wide policy wrt that...
otherwise examples will constantly go stale against cargo suggestions for newer versions.
Co-authored-by: Jon Atack <jon@atack.com>
Opening this PR for feedback & discussion on the specification for OP_TWEAKADD.
Mailing list post: https://groups.google.com/g/bitcoindev/c/-_geIB25zrg/m/bDpv822yAAAJ