Skip to content

Implement BIP-EC-OPS: Elliptic Curve Operations for Bitcoin Script#109

Open
ViniciusCestarii wants to merge 6 commits intobitcoin-inquisition:29.xfrom
ViniciusCestarii:ec-ops-inq
Open

Implement BIP-EC-OPS: Elliptic Curve Operations for Bitcoin Script#109
ViniciusCestarii wants to merge 6 commits intobitcoin-inquisition:29.xfrom
ViniciusCestarii:ec-ops-inq

Conversation

@ViniciusCestarii
Copy link
Copy Markdown

@ViniciusCestarii ViniciusCestarii commented Mar 5, 2026
edited
Loading

This is an implementation of Roasbeef's BIP for Elliptic Curve Operations, adding four new opcodes that expose low-level secp256k1 elliptic curve primitives to Tapscript.

Links

@DrahtBot
Copy link
Copy Markdown
Collaborator

DrahtBot commented Mar 7, 2026

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

  • #108 (PoC: tooling for OP_TEMPLATEHASH by darosior)
  • #100 (BIP446 "OP_TEMPLATEHASH" implementation by darosior)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

This was referenced Mar 7, 2026
Open
Open
@ViniciusCestarii ViniciusCestarii marked this pull request as ready for review March 13, 2026 16:37
theStack
theStack reviewed Mar 16, 2026
View reviewed changes
Comment thread src/pubkey.cpp
Comment on lines +409 to +410
std::memcpy(factor_be, factor.data, 32);
std::reverse(factor_be, factor_be + 32);
Copy link
Copy Markdown

@theStack theStack Mar 16, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that the .data member of secp256k1_hazmat_scalar type (and any other types of the hazmat module) contains an internal representation and is thus not meant to be accessed directly by the user. The serialization API function secp256k1_hazmat_scalar_serialize should be used instead (no blaming though, this should definitely be documented better in the API header in bitcoin-core/secp256k1#1635!).

However, in this case it seems you don't need the hazmat API in the first place. You can simply pass scalar.data() to the _ec_pubkey_{create,tweak} functions below, as this is already in the expected form. The following simplification seems to work fine: theStack/bitcoin-inquisition@d4c9c8c

It might still make sense to use a hazmat module consistently through for all operations (if there are notable gains in performance), but I wouldn't recommend bitcoin-core/secp256k1#1635 for that purpose currently, given its PoC state and lack of review.

Copy link
Copy Markdown
Author

@ViniciusCestarii ViniciusCestarii Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey, thank you for the feedback.

I used it specifically to satisfy the rule defined in the BIP: "Scalar values greater than or equal to the curve order n are automatically reduced modulo n." by using secp256k1_hazmat_scalar_parse. I tried to find a way to handle this using the standard API, but I couldn't find one.

Is there a recommended approach to perform this reduction modulo n using the standard secp256k1 API without relying on hazmat?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@theStack theStack theStack left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ViniciusCestarii @DrahtBot @theStack