Bitcoin Forum

Dear 1VayNert

It appears that you may have a bug in your transactions that is causing you to throw away 0.01 BTC on each transaction.  Thought you would like to know.

Example here:  http://blockexplorer.com/tx/9969603dca74d14d29d1d5f56b94c7872551607f8c2d6837ab9715c60721b50e

and http://blockexplorer.com/tx/8c8baf2e0529c0193ad3a583306a16fcc3e9cd271ba625e12bfd74261a46ad7c

They're not throwing away 0.01 BTC, they just haven't redeemed them yet-- they're using valid-but-strange transactions.

Output script:
So as far as I understand it:
It drops this first string (04678afd04678afd) from the stack, so ignore that. Then it hashes (SHA256) the next thing on the stack, which would be in the input script you use. Then that should be equal to the 89...95c part.

So basically these outputs can be claimed by a password.

I'd guess the OP_DROP data is salt for the password.

Spends of these transactions could be intercepted and hijacked by miners. It would be better to do a regular public key transaction and attach the private key as AES-encrypted OP_DROP data. Another way might be to add a proof-of-work to the script so that miners don't have time to hijack the transaction before someone else includes it.

That makes sense.

Also, all those transactions* seem to have the same password, too, so he would need to spend all of them at the same time.

*At least the two examples posted. 2 is a representative data sample, no?

What do you mean by adding proof-of-work to the script ?

Learning a lot.  Thanks.

Like this (using some disabled/not-yet-implemented Script features):

({} denotes that something is in a string, not part of the script proper.)

With this, you need to do some "mining" after changing the transaction to make it valid.

Wow, that's really cool :)
Sadly it can't be used because of disabled ops...

Doesn't Eligius accept non-standard scripts? Or is this really non-standard?

They would end up on a different network if they accepted this. The network doesn't recognize OP_SUBSTR anymore, and OP_EVAL isn't implemented yet (though it is planned).

The script I gave is inferior in every way that I can think of to just including an AES-encrypted private key with a standard transaction. I just wanted to illustrate the concept. Possibly there are better ways of doing transaction proof-of-works, though. Maybe you could do it by making public only parts of public keys, signatures, or private keys. It could certainly be better than AES encryption if there was a script op that output a hash of the non-Script parts of transactions: then you wouldn't have to use OP_CHECKSIG at all.

My script could be improved by leaving out the private key and having everyone use the same known keypair. Then it's only a little bigger than the encrypted-private-key method.

Well, the substr magic can be replaced by an OP_WITHIN, where it should be within 0x00000000000000 and 0x00000001000000 for example. That would circumvent the OP_SUBSTR, while achieving the same result, right?

Would be nice to test for zeroes with OP_LESSTHAN which is allowed, but it's limited to 32 bits only, just as OP_DIV and OP_RSHIFT (both are disabled) :(

Sadly most useful ops are either disabled or crippled by 4 bytes limit.

No, OP_WITHIN is limited to 32 bit numbers, so it can only work within 0x000000 and 0xFFFFFFFF, a maximum subset is 4 294 967 295 of sha256's output space (around ~0.0000000000000000000000000000000000000000000000000000000000000000000037%)
(not sure about that)

Finally redeemed :)
The new TX wasn't even considered strange by the network.

http://blockexplorer.com/tx/9969603dca74d14d29d1d5f56b94c7872551607f8c2d6837ab9715c60721b50e#o2

theymos: why add the private key AES encrypted when you just can SHA256(password) (like mini-private-keys) and use that as private key?
Then you tell the legit whoever that should be able to access those coins on how you redeem them.

Probably that is always better than AES encryption.