clarify that secp scalars are unsigned big endian

sanket1729 · sanket1729 · commit 31c232a39b77 · 2021-08-24T10:46:33.000-07:00
diff --git a/doc/tapscript_opcodes.md b/doc/tapscript_opcodes.md
@@ -71,8 +71,8 @@ When defining the opcodes which can fail, we only define the success path, and a
    1. Define `OP_SUCCESS226` as `OP_LE32TOLE64`: pop the stack as a 4 byte _unsigned_ LE. Push the corresponding 8 byte _signed_ LE number. Cannot fail, useful for operating of version, locktime, sequence, number of inputs, number of outputs, weight etc.
 
 5. **Crypto**: In order to allow more complex operations on elements, we introduce the following new crypto-operators. Each opcode counts as 50 towards the sigops budget.
-   1. Define `OP_SUCCESS227` as `OP_ECMULSCALARVERIFY`which pops three elements from stack as described below: 1) a 32 byte big endian scalar `k`. 2) Compressed EC point `P`, and 3) compressed EC point `Q`. Abort if `P`, `Q` is invalid or `k` is not 32 bytes and outside of secp256k1 curve order. Abort if `Q != k*P`.
-   1. Define `OP_SUCCESS228` as `OP_TWEAKVERIFY` with the following semantics: Pop the three elements as: 1) 32 byte X-only internal key `P`, 2) a 32 byte big endian scalar `k`, and 3) 33 byte compressed point `Q`. Abort if `P`, `Q` is invalid or `k` is not 32 bytes and outside of secp256k1 curve order. Abort if `Q != P + k*G` where `G` is the generator for secp256k1.
+   1. Define `OP_SUCCESS227` as `OP_ECMULSCALARVERIFY`which pops three elements from stack as described below: 1) a 32 byte big endian, unsigned scalar `k`. 2) Compressed EC point `P`, and 3) compressed EC point `Q`. Abort if `P`, `Q` is invalid or `k` is not 32 bytes and outside of secp256k1 curve order. Abort if `Q != k*P`.
+   1. Define `OP_SUCCESS228` as `OP_TWEAKVERIFY` with the following semantics: Pop the three elements as: 1) 32 byte X-only internal key `P`, 2) a 32 byte big endian, unsigned scalar `k`, and 3) 33 byte compressed point `Q`. Abort if `P`, `Q` is invalid or `k` is not 32 bytes and outside of secp256k1 curve order. Abort if `Q != P + k*G` where `G` is the generator for secp256k1.
 
 6. **Changes to existing Opcodes**:
    - Add `OP_CHECKSIGFROMSTACK` and `OP_CHECKSIGFROMSTACKVERIFY` to follow the semantics from bip340 when witness program is v1. In more detail, the opcodes pops three elements stack 1) 32 byte `pk` Xonly public key 2) Variable length message `msg` and 3) 64 byte Schnorr signature `sig`. Let `res = BIP340_verify(pk, msg, sig)` where `BIP340_verify` is defined for elements [here](https://github.com/ElementsProject/elements/blob/master/doc/taproot-sighash.mediawiki). If opcode is `OP_CHECKSIGFROMSTACKVERIFY`, abort if the verification fails.
