BIP449: OP_TWEAKADD #1944

pull JeremyRubin wants to merge 13 commits into bitcoin:master from JeremyRubin:optweakadd changing 4 files +646 −0
  1. JeremyRubin commented at 10:43 PM on August 22, 2025: contributor

    Opening this PR for feedback & discussion on the specification for OP_TWEAKADD.

    Mailing list post: https://groups.google.com/g/bitcoindev/c/-_geIB25zrg

  2. jonatack added the label New BIP on Aug 22, 2025
  3. in bip-XXXX.md:240 in b24c5049ed outdated 
     235 | +This proposal extends the Taproot tweak mechanism (BIP340/341) into script, inspired by prior work on scriptless scripts and key-evolution constructions. There has been various discussion of OP_TWEAKADD over the years, including by Russell O'Connor and Steven Roose.
 236 | +
 237 | +## References
 238 | +
 239 | +- [CATT: Thoughts about an alternative covenant softfork proposal](https://delvingbitcoin.org/t/catt-thoughts-about-an-alternative-covenant-softfork-proposal/125)
 240 | +- [Bitcoindev mailing list discussion](https://gnusha.org/pi/bitcoindev/e98d76f2-6f2c-9c3a-6a31-bccb34578c31@roose.io/)
    jonatack commented at 11:09 PM on August 22, 2025:

    Hi @JeremyRubin, is there a link to a recent discussion specific to OP_TWEAKADD? Suggest a new ML post about this draft.

    JeremyRubin commented at 5:40 PM on August 23, 2025:

    yes sir 🫡

  4. kash831 commented at 3:37 PM on August 24, 2025: none

    All in a hard days work

  5. in bip-XXXX.md:37 in 9415fbc4e4 outdated 
      32 | +
  33 | +Input (top last):
  34 | +
  35 | +```
  36 | +
  37 | +... \[h32] \[pubkey32] OP\_TWEAKADD  ->  ... \[pubkey32\_out]
    murchandamus commented at 9:31 PM on August 25, 2025:

    I think these backslashes are unnecessary in the preformatted code. At least they render for me in the preview.

    <img width="553" height="192" alt="Image" src="https://github.com/user-attachments/assets/0ce8b5f0-604f-4199-80fa-57267bc7a80d" />

  6. in bip-XXXX.md:39 in 9415fbc4e4 outdated 
      34 | +
  35 | +```
  36 | +
  37 | +... \[h32] \[pubkey32] OP\_TWEAKADD  ->  ... \[pubkey32\_out]
  38 | +
  39 | +````
    murchandamus commented at 9:32 PM on August 25, 2025:

    This has one backtick too many, although it doesn’t seem to change the rendering.

  7. in bip-XXXX.md:9 in 9415fbc4e4 outdated 
       0 | @@ -0,0 +1,317 @@
   1 | +```
   2 | +BIP: TBD
   3 | +Layer: Consensus (soft fork)
   4 | +Title: OP_TWEAKADD - x-only key tweak addition
   5 | +Author: Jeremy Rubin <jeremy@char.network>
   6 | +Status: Draft
   7 | +Type: Standards Track
   8 | +Created: 2025-08-22
   9 | +License: BSD-3-Clause
    murchandamus commented at 9:37 PM on August 25, 2025:

    Please add the missing Copyright section.

    JeremyRubin commented at 2:28 PM on August 27, 2025:

    You meant at the end of the document right?

    murchandamus commented at 9:28 PM on August 27, 2025:

    Sure, that’s fine.

  8. in bip-XXXX.md:29 in 9415fbc4e4 outdated 
      24 | +## Specification
  25 | +
  26 | +### Applicability and opcode number
  27 | +
  28 | +- Context: Only valid in tapscript (witness version 1, leaf version 0xc0). In legacy or segwit v0 script, `OP_TWEAKADD` is disabled and causes script failure.
  29 | +- Opcode: OP_TWEAKADD (0xBE, or TBD, any unused OP_SUCCESSx, preferably one which might never be restored in the future).
    murchandamus commented at 9:39 PM on August 25, 2025:

    What does "preferably one which might never be restored in the future" refer to?

    JeremyRubin commented at 11:31 PM on August 25, 2025:

    E.g., it's desirable to not use 0x7f because that's OP_SUBSTR and if we ever did a soft fork like that, it's simpler to not change those opcodes.

    from bip-347:

    We specifically choose to use OP_SUCCESS126 rather than another OP_SUCCESSx as OP_SUCCESS126 uses the same opcode value (126 in decimal and 0x7e in hexadecimal) that was used for OP_CAT prior to it being disabled in Bitcoin. This removes a potential source of confusion that would exist if we had a opcode value different from the one used in the original OP_CAT opcode.

    JeremyRubin commented at 2:28 PM on August 27, 2025:

    assuming this doesn't need more of a note in the BIP?

  9. murchandamus commented at 9:42 PM on August 25, 2025: member

    I had a first glance at this. Looks interesting. A few sections look still a bit bullet point heavy and I would hope to see them expanded a bit.

  10. in bip-XXXX.md:9 in 4500b0ad25 
       0 | @@ -0,0 +1,315 @@
   1 | +```
   2 | +BIP: TBD
   3 | +Layer: Consensus (soft fork)
   4 | +Title: OP_TWEAKADD - x-only key tweak addition
   5 | +Author: Jeremy Rubin <jeremy@char.network>
   6 | +Status: Draft
   7 | +Type: Standards Track
   8 | +Created: 2025-08-22
   9 | +License: BSD-3-Clause
    murchandamus commented at 12:27 AM on February 28, 2026:

    Since BIP3 was deployed meanwhile, the preamble would need a few tweaks:

    BIP: ?
Layer: Consensus (soft fork)
Title: OP_TWEAKADD - x-only key tweak addition
Authors: Jeremy Rubin <jeremy@char.network>
Status: Draft
Type: Specification
Assigned: ?
License: BSD-3-Clause
  11. murchandamus commented at 12:29 AM on February 28, 2026: member

    Hey, this hasn’t seen any activity in a while and is still marked as a draft pull request. What is the status of this? If this is ready for another editor review, please mark the pull request as Ready for Review. It would also be welcome if it got some review from third parties.

  12. murchandamus renamed this:
    BIP Draft OP_TWEAKADD
    BIP Draft: OP_TWEAKADD
    on Feb 28, 2026
  13. murchandamus added the label PR Author action required on Feb 28, 2026
  14. JeremyRubin marked this as ready for review on Feb 28, 2026
  15. JeremyRubin commented at 7:57 AM on February 28, 2026: contributor

    I think it's fine to come out of draft.

  16. in bip-XXXX.md:13 in 5da11571b3 
       8 | +Assigned: ?
   9 | +License: BSD-3-Clause
  10 | +```
  11 | +## Abstract
  12 | +
  13 | +This proposal defines a new tapscript opcode, `OP_TWEAKADD`, that takes an x-only public key and a 32-byte integer `h` on the stack and pushes the x-only public key corresponding to `P + h*G`, where `P` is the lifted point for the input x-coordinate and `G` is the secp256k1 generator. The operation mirrors the Taproot tweak used by BIP340 signers and enables simple, verifiable key modifications inside script without revealing private keys or relying on hash locks.
    murchandamus commented at 7:36 PM on February 28, 2026:

    The integer h appears to be called t in the specification section.

    This proposal defines a new tapscript opcode, `OP_TWEAKADD`, that takes an x-only public key and a 32-byte integer `t` on the stack and pushes the x-only public key corresponding to `P + t*G`, where `P` is the lifted point for the input x-coordinate and `G` is the secp256k1 generator. The operation mirrors the Taproot tweak used by BIP340 signers and enables simple, verifiable key modifications inside script without revealing private keys or relying on hash locks.
  17. in bip-XXXX.md:81 in 5da11571b3 outdated 
      76 | +
  77 | +- Even-Y x-only is consistent with BIP340/Taproot.
  78 | +- Infinity outputs are rejected to avoid invalid keys.
  79 | +- Functionality is narrowly scoped to Taproot-style tweaks, avoiding arbitrary EC arithmetic.
  80 | +- Push opcode rather than verification opcode for script compactness.
  81 | +- Argument order to permit tweak from witness onto fixed key without OP_SWAP.
    murchandamus commented at 7:38 PM on February 28, 2026:

    Argument order to permit tweak from witness onto fixed key without OP_SWAP

    This sentence is not clear to me. Perhaps it could use more context.

    JeremyRubin commented at 3:17 PM on March 6, 2026:

    see the email thread https://groups.google.com/g/bitcoindev/c/-_geIB25zrg

    so OP_TWEAKADD can be either be <tweak> <key> or <key> <tweak>.

    we use:

    <key> OP_TWEAKADD

    because we assume that commonly keys will come from the script, and tweaks will come from the witness.

    This avoids an op_SWAP in most cases shown in the email examples.

  18. in bip-XXXX.md:88 in 5da11571b3 outdated 
      83 | +## Compatibility
  84 | +
  85 | +This is a soft-fork change which is tapscript-only. Un-upgraded nodes will continue
  86 | +to treat unknown tapscript opcode as OP_SUCCESSx.
  87 | +
  88 | +A future upgrade, such as an OP_CAT or OP_TAPTREE opcode, can prepare a tweak for a
    murchandamus commented at 7:39 PM on February 28, 2026:

    What is OP_TAPTREE? I don’t think I’ve seen that one before.

    JeremyRubin commented at 7:54 PM on March 3, 2026:

    Stand-in for "some opcode that can work with taproot trees".

  19. murchandamus commented at 7:46 PM on February 28, 2026: member

    The Rationale still seems a bit brief to me, but I would expect that it would be backfilled with the responses to the questions and issues raised as this proposal gets more review. Would be great if some other covenant researchers took a look at it. Otherwise the idea generally seems well described.

    cc: @brandonblack, @ajtowns, @roconnor-blockstream, @moonsettler, @Roasbeef for some likely candidates to take a look.

  20. murchandamus removed the label PR Author action required on Feb 28, 2026
  21. murchandamus added the label Needs number assignment on Feb 28, 2026
  22. moonsettler commented at 10:21 PM on February 28, 2026: contributor

    Without any additional opcodes the supported use cases seem to be:

    1. prove order of signing (not sure what this can be used for, maybe some penalty based lightning construct?)
    2. reveal private key to a pubkey (user can swap out of a covenant pool by atomically forfeiting a private key?)

    Also along with #1974 TA could be used instead of the annex for data availability, by tweaking the internal key with the data required to reconstruct the script for that state.

    Something like <sig> <da> | SHA256 INTERNALKEY TWEAKADD TEMPLATEHASH SWAP CSFS

  23. murchandamus commented at 4:06 PM on March 5, 2026: member

    Let’s refer to this as BIP 449. Please update the BIP and Assigned headers in the Preamble, rename the file, and add a table entry to the README file for your proposal.

  24. murchandamus renamed this:
    BIP Draft: OP_TWEAKADD
    BIP449: OP_TWEAKADD
    on Mar 5, 2026
  25. murchandamus removed the label Needs number assignment on Mar 5, 2026
  26. JeremyRubin commented at 3:13 PM on March 6, 2026: contributor

    Thanks for the assignment! @murchandamus re rationale/motivation, see the email thread. https://groups.google.com/g/bitcoindev/c/-_geIB25zrg

  27. murchandamus commented at 6:18 PM on March 16, 2026: member

    You’re welcome. My point was that the relevant information from the email thread and the pull request discussions should be added to your document, so that your document contains the relevant context and is self-explanatory.

    Could you please also update the BIP and Assigned headers in the Preamble, rename the file, and add a table entry to the README file for your proposal?

  28. murchandamus added the label PR Author action required on Mar 16, 2026
  29. moonsettler commented at 10:56 AM on March 17, 2026: contributor

    It's really thin on the motivation.

    Enables script-level key evolutions

    Is probably the most vague way possible to describe what it does in a practical sense in tapscript and possibly in restored script.

  30. BIP: OP_TWEAKADD 8ffa7379cf
  31. BIP TweakAdd: note on commutativity of tweaking and add test cases b349b181ca
  32. BIP TweakAdd: Invert Argument Order cd669f454a
  33. BIP Tweakadd: fix typo & add note on even-y tweaking 858f801dd3
  34. BIP TweakAdd -- add mailing list discussion 5de43acce9
  35. BIP TweakAdd: Add Alpen and MATT mentions 45d62e8ce3
  36. BIP TweakAdd Formatting Edits 46910a504b
  37. BIP TWEAKADD remove conventions section 466aac586e
  38. BIP TWEAKADD formatting fix a6f271feac
  39. BIP TWEAKADD Move Vectors to end ae05e47b56
  40. BIP TweakAdd: Condense compatibility section 76d8bbc712
  41. [BIP-0449] Updates post assignemnt b4a840e017
  42. JeremyRubin force-pushed on Mar 23, 2026
  43. [BIP-0449] Normalize Metadata 8cf8e3b103
  44. JeremyRubin commented at 7:44 PM on March 23, 2026: contributor

    I think I made all the requested edits. I also added a use case on how to use TWEAKADD for PAIRCOMMIT @moonsettler would appreciate your review on that in particular that my design is sound, was a little tricky.

  45. murchandamus commented at 12:12 AM on March 24, 2026: member

    Thanks for the update

  46. murchandamus removed the label PR Author action required on Mar 24, 2026
  47. moonsettler commented at 7:51 PM on March 24, 2026: contributor

    I think I made all the requested edits. I also added a use case on how to use TWEAKADD for PAIRCOMMIT @moonsettler would appreciate your review on that in particular that my design is sound, was a little tricky.

    Looks good to me.

Contributors
JeremyRubinjonatackkash831murchandamusmoonsettler
Labels
New BIP
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bips. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-14 15:10 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me