On Sat, Sep 27, 2025 at 08:59:40PM +0930, Rusty Russell wrote: > ;OP_SEGMENT > : This opcode remains an NOP. But it makes script parts ''composable'': > > ;OP_BYTEREV > : This is the minimium requirement for constructing ordered Merkle trees as > specified in Taproot. > > ;OP_ECPOINTADD > : Also required for constructing Taproot spends. The varops cost is the same > as a CHECKSIG operation. > > ;OP_INTERNALKEY
> Bitcoin script was developed long before Taproot: OP_ECPOINTADD and > OP_BYTEREV are the minimal missing opcodes required for creating Taproot > trees in script. If you're trying to construct a taproot address, the formula is roughly: T = IPK + H(IPK, ScriptRoot) * G The above arguably give you enough capacity to calculate most of that formula, but I don't see anything that gives the "* G" part. > - I don't see an immediate reason for OP_ECPOINTMUL, for example, but it > would not be possible in script today (due to varops limits). Calculating T according to the above, rather than verifying the equation is true after being given all the values, means that you can't combine a bunch of similar calculations (including schnorr signature checks) into a batch validation, gaining some performance benefit. It may make more sense to have an ECPOINT_MULADD function, that verifies: a*B + c*D = 0 (point at infinity) where a,c are scalars and B,D are points, and OP_MULTI modifies that to a1*B1 + a2*B2 + .. + aN*BN = 0, where ai are scalars and Bi are points. Note that expressing "negative" values are probably desirable, particularly -G; eg the BIP340 signature equation becomes: s*(-G) + 1*R + H(..)*P = 0 in that model. The Taproot address check is: (+/-)1*T = 1*IPK + H(..)*G = 0 where the sign for T is taken from the control block. FWIW, bll does this with the `secp256k1_muladd` opcode, and example code for verifying a taproot script against a scriptPubKey is at https://github.com/ajtowns/bllsh/blob/master/examples/test-taproot Cheers, aj -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/aOOoJfCFH85AUYtp%40erisian.com.au.
