[BIP Proposal] Elliptic Curve Operations for Bitcoin Script

This initiative aims at enhancing the flexibility and functionality of Bitcoin Script, particularly in facilitating the commutation of the top-level Taproot output public key. The proposed opcodes are designed to complement introspection capabilities, paving the way for innovative on-chain state machines within Bitcoin Script. Furthermore, the versatility of these opcodes extends to various applications, including but not limited to optimized Discreet Log Contracts (DLCs), partial MuSig2 signature verification, and Elliptic Curve-based sigma protocols.

A total of four opcodes have been suggested, each carefully selected from the available OP_SUCCESS range. These include OP_EC_POINT_ADD, OP_EC_POINT_MUL, OP_EC_POINT_NEGATE, and OP_EC_POINT_X_COORD. The comprehensive details of this proposition, including its rationale and potential impact, are thoroughly documented in the draft of the Bitcoin Improvement Proposal (BIP), accessible through this GitHub link. Additionally, a reference implementation has been made available in btcd, which can be reviewed via this link.

Amidst discussions surrounding this proposal, constructive feedback has emerged, suggesting refinements to further solidify the foundation of the proposed opcodes. Key among the suggestions is the introduction of an operation dubbed OP_EC_LIFT_X_EVEN, aimed at reversing the effects of OP_EC_POINT_X_COORD, albeit with certain limitations pertaining to parity considerations. This addition would be particularly beneficial in scenarios where OP_IKEY is utilized. Another recommendation involves the implementation of OP_EC_GENERATOR, which would push the generator point G onto the stack directly, as opposed to the current method that interprets a 0 as G. This modification is anticipated to enhance composability and streamline operations, especially in the context of multiplication chaining where the goal is to carry the point at infinity through successive operations accurately.

The discourse further delves into the intricacies of implementing OP_TWEAKADD, highlighting a more efficient approach facilitated by the new opcodes. This includes leveraging OP_EC_GENERATOR followed by OP_EC_POINT_MUL and OP_EC_LIFT_X_EVEN for additive operations on elliptic curve points. Such technical insights underscore the potential of the proposed enhancements to refine and extend the capabilities of Bitcoin Script, heralding a new era of on-chain innovation and flexibility.