bitcoin-bips/bip-0349.md

<pre>
  BIP: 349
  Layer: Consensus (soft fork)
  Title: OP_INTERNALKEY
  Author: Brandon Black <freedom@reardencode.com>
          Jeremy Rubin <j@rubin.io>
  Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0349
  Status: Draft
  Type: Standards Track
  Created: 2023-12-22
  License: BSD-3-Clause
</pre>

## Abstract

This BIP describes a new tapscript opcode (`OP_INTERNALKEY`) which
pushes the _taproot internal key_ to the stack.

## Specification

When verifying taproot script path spends having leaf version `0xc0` (as
defined in [BIP 342]), `OP_INTERNALKEY` replaces `OP_SUCCESS203` (0xcb).
`OP_INTERNALKEY` pushes the 32-byte x-only representation of the _taproot
internal key_ (referred to as _p_), as defined in [BIP 341], to the stack.

## Motivation

### Key spend with additional conditions

When building taproot outputs, especially those secured by an aggregate key
representing more than one signer, the parties may wish to collaborate on
signing with the _taproot internal key_, but only with additional script
restrictions. In this case, `OP_INTERNALKEY` saves 8 vBytes.

### Mitigated control block overhead for scripts using hash locks

In cases where key path spending is not desired, the internal key may be set to
a NUMS point whose bytes would otherwise be required in a tapscript. This could
be used with any hash locked transaction, for example, to save 8 vBytes.

Note: The internal key must be the X coordinate of a point on the SECP256K1
curve, so any such hash must be checked and modified until it is such an X
coordinate. This will typically take approximately 2 attempts.

## Reference Implementation

A reference implementation is provided here:

https://github.com/bitcoin/bitcoin/pull/29269

## Backward Compatibility

By constraining the behavior of an OP_SUCCESS opcode, deployment of the BIP
can be done in a backwards compatible, soft-fork manner. If anyone were to
rely on the OP_SUCCESS behavior of `OP_SUCCESS203`, `OP_INTERNALKEY` would
invalidate their spend.

## Deployment

TBD

## Credits

TODO

## Copyright

This document is licensed under the 3-clause BSD license.

[BIP 341]: https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki

[BIP 342]: https://github.com/bitcoin/bips/blob/master/bip-0342.mediawiki
BIP349: Fix preamble for CI issues 2024-11-14 16:26:55 -05:00			`<pre>`
			`BIP: 349`
			`Layer: Consensus (soft fork)`
			`Title: OP_INTERNALKEY`
			`Author: Brandon Black <freedom@reardencode.com>`
			`Jeremy Rubin <j@rubin.io>`
			`Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0349`
			`Status: Draft`
			`Type: Standards Track`
			`Created: 2023-12-22`
			`License: BSD-3-Clause`
			`</pre>`
Add bip-internalkey 2024-04-24 14:34:29 -07:00
			`## Abstract`

			This BIP describes a new tapscript opcode (`OP_INTERNALKEY`) which
Fixes and clarifications to address PR comments 2024-11-12 23:46:22 +01:00			`pushes the _taproot internal key_ to the stack.`
Add bip-internalkey 2024-04-24 14:34:29 -07:00
			`## Specification`

Fixes and clarifications to address PR comments 2024-11-12 23:46:22 +01:00			When verifying taproot script path spends having leaf version `0xc0` (as
			defined in [BIP 342]), `OP_INTERNALKEY` replaces `OP_SUCCESS203` (0xcb).
BIP-349 2024-11-14 18:10:42 +01:00			`OP_INTERNALKEY` pushes the 32-byte x-only representation of the _taproot
			`internal key_ (referred to as _p_), as defined in [BIP 341], to the stack.`
Add bip-internalkey 2024-04-24 14:34:29 -07:00
			`## Motivation`

			`### Key spend with additional conditions`

			`When building taproot outputs, especially those secured by an aggregate key`
			`representing more than one signer, the parties may wish to collaborate on`
Fixes and clarifications to address PR comments 2024-11-12 23:46:22 +01:00			`signing with the _taproot internal key_, but only with additional script`
Add bip-internalkey 2024-04-24 14:34:29 -07:00			restrictions. In this case, `OP_INTERNALKEY` saves 8 vBytes.

			`### Mitigated control block overhead for scripts using hash locks`

Fixes and clarifications to address PR comments 2024-11-12 23:46:22 +01:00			`In cases where key path spending is not desired, the internal key may be set to`
			`a NUMS point whose bytes would otherwise be required in a tapscript. This could`
			`be used with any hash locked transaction, for example, to save 8 vBytes.`
Add bip-internalkey 2024-04-24 14:34:29 -07:00
			`Note: The internal key must be the X coordinate of a point on the SECP256K1`
			`curve, so any such hash must be checked and modified until it is such an X`
			`coordinate. This will typically take approximately 2 attempts.`

			`## Reference Implementation`

			`A reference implementation is provided here:`

			`https://github.com/bitcoin/bitcoin/pull/29269`

			`## Backward Compatibility`

			`By constraining the behavior of an OP_SUCCESS opcode, deployment of the BIP`
			`can be done in a backwards compatible, soft-fork manner. If anyone were to`
			rely on the OP_SUCCESS behavior of `OP_SUCCESS203`, `OP_INTERNALKEY` would
			`invalidate their spend.`

			`## Deployment`

			`TBD`

			`## Credits`

			`TODO`

			`## Copyright`

			`This document is licensed under the 3-clause BSD license.`

			`[BIP 341]: https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki`

			`[BIP 342]: https://github.com/bitcoin/bips/blob/master/bip-0342.mediawiki`