What is the exact form of raw transaction from Value Overflow Incident? I tried to recreate it, but I guess I am doing something wrong.

Link to the topic: https://bitcointalk.org/index.php?topic=822.0

My attempt:

Code:

decoderawtransaction 0100000001395d705a36b122c01c9be97f8c69994c03bb8a0531990411ce7ac78f34e87f23000000008b483045022100db8ccad098467a80bdb9ae16fca82aa4214a66c1ee24b62b696073e7e4f6879302205ad02d53231be18c5d6a77ffdb39476a5b5da4be70f0acc6794b181f4e38027ca841046b5d97aeed2979207f4ca7d9e75cdebf9ebb2a47d0b715370645f6845edfa7adfb0627ad7bda601ad2d129ebf037c5750841e9ba64ab199c4cb8280a95335d96ffffffff02af63f8ffffffff7f1976a91490e8d5ba1c2a301824b18d383dead728b13ea7b788acaf63f8ffffffff7f1976a9142c72c4b5e0cbf9b6435f2cec9df8668c5075121588ac00000000
{
  "txid": "ffbe549076b4b550088b4eee11106b702ca091efd360de0a6397dd7ca3e36bc1",
  "hash": "ffbe549076b4b550088b4eee11106b702ca091efd360de0a6397dd7ca3e36bc1",
  "version": 1,
  "size": 258,
  "vsize": 258,
  "weight": 1032,
  "locktime": 0,
  "vin": [
    {
      "txid": "237fe8348fc77ace11049931058abb034c99698c7fe99b1cc022b1365a705d39",
      "vout": 0,
      "scriptSig": {
        "asm": "3045022100db8ccad098467a80bdb9ae16fca82aa4214a66c1ee24b62b696073e7e4f6879302205ad02d53231be18c5d6a77ffdb39476a5b5da4be70f0acc6794b181f4e38027ca8 046b5d97aeed2979207f4ca7d9e75cdebf9ebb2a47d0b715370645f6845edfa7adfb0627ad7bda601ad2d129ebf037c5750841e9ba64ab199c4cb8280a95335d96",
        "hex": "483045022100db8ccad098467a80bdb9ae16fca82aa4214a66c1ee24b62b696073e7e4f6879302205ad02d53231be18c5d6a77ffdb39476a5b5da4be70f0acc6794b181f4e38027ca841046b5d97aeed2979207f4ca7d9e75cdebf9ebb2a47d0b715370645f6845edfa7adfb0627ad7bda601ad2d129ebf037c5750841e9ba64ab199c4cb8280a95335d96"
      },
      "sequence": 4294967295
    }
  ],
  "vout": [
    {
      "value": 92233720368.54277039,
      "n": 0,
      "scriptPubKey": {
        "asm": "OP_DUP OP_HASH160 90e8d5ba1c2a301824b18d383dead728b13ea7b7 OP_EQUALVERIFY OP_CHECKSIG",
        "desc": "addr(1EDDEGtrZ5877WPsLU5o9TwjJDqaUqhvte)#h50rucd6",
        "hex": "76a91490e8d5ba1c2a301824b18d383dead728b13ea7b788ac",
        "address": "1EDDEGtrZ5877WPsLU5o9TwjJDqaUqhvte",
        "type": "pubkeyhash"
      }
    },
    {
      "value": 92233720368.54277039,
      "n": 1,
      "scriptPubKey": {
        "asm": "OP_DUP OP_HASH160 2c72c4b5e0cbf9b6435f2cec9df8668c50751215 OP_EQUALVERIFY OP_CHECKSIG",
        "desc": "addr(1542Dgx5EeurzHP8cT57fK6hBTQq2dgTEu)#squqxq0e",
        "hex": "76a9142c72c4b5e0cbf9b6435f2cec9df8668c5075121588ac",
        "address": "1542Dgx5EeurzHP8cT57fK6hBTQq2dgTEu",
        "type": "pubkeyhash"
      }
    }
  ]
}

It seems that outputs are decoded properly, because the second address even exists on-chain: https://mempool.space/address/1542Dgx5EeurzHP8cT57fK6hBTQq2dgTEu

However, I am curious about scriptSig, because it is very strange. It has this weird "a8" ending, which sounds like invalid sighash. What is taken in that case? SIGHASH_ALL? Also, I don't know, how to make any message, which will hash into 1d5e512a9723cbef373b970eb52f1e9598ad67e7408077a82fdac194b65333c9. And then, what is the z-value, which is used to make this signature? What are the last four bytes, added to the transaction? Is it "01000000"? Or maybe "a8000000"? Or something else?

In case of the coinbase transaction, that was quite easy:

Code:

decoderawtransaction 01000000010000000000000000000000000000000000000000000000000000000000000000ffffffff08040e80001c028f00ffffffff01c024102d01000000434104750f835e45baa59bda8989092a3f4c7e201bbb6dc2265f12ea4e044b849acfe1656ecf6f4e99516cd9b95486bda27e7c8363798b8ec7a2a8c3f880155da54b4fac00000000
{
  "txid": "012cd8f8910355da9dd214627a31acfeb61ac66e13560255bfd87d3e9c50e1ca",
  "hash": "012cd8f8910355da9dd214627a31acfeb61ac66e13560255bfd87d3e9c50e1ca",
  "version": 1,
  "size": 135,
  "vsize": 135,
  "weight": 540,
  "locktime": 0,
  "vin": [
    {
      "coinbase": "040e80001c028f00",
      "sequence": 4294967295
    }
  ],
  "vout": [
    {
      "value": 50.51000000,
      "n": 0,
      "scriptPubKey": {
        "asm": "04750f835e45baa59bda8989092a3f4c7e201bbb6dc2265f12ea4e044b849acfe1656ecf6f4e99516cd9b95486bda27e7c8363798b8ec7a2a8c3f880155da54b4f OP_CHECKSIG",
        "desc": "pk(04750f835e45baa59bda8989092a3f4c7e201bbb6dc2265f12ea4e044b849acfe1656ecf6f4e99516cd9b95486bda27e7c8363798b8ec7a2a8c3f880155da54b4f)#r9p0z7n3",
        "hex": "4104750f835e45baa59bda8989092a3f4c7e201bbb6dc2265f12ea4e044b849acfe1656ecf6f4e99516cd9b95486bda27e7c8363798b8ec7a2a8c3f880155da54b4fac",
        "type": "pubkey"
      }
    }
  ]
}

Also, merkle tree was quite easy to decode, because it is just a concatenation of both transaction hashes, with reversed bytes:

Code:

cae1509c3e7dd8bf550256136ec61ab6feac317a6214d29dda550391f8d82c01c93353b694c1da2fa8778040e767ad98951e2fb50e973b37efcb23972a515e1d
5eecb6808d6de56a05211483d86fc6c7d17cda46c3388dd0c8139e4114ba8e61
618eba14419e13c8d08d38c346da7cd1c7c66fd8831421056ae56d8d80b6ec5e

And, for completeness, the 80-byte block header:

Code:

01000000846e2b968653ef0a25a92c12e8884d76919907df8e3079e665686000000000005eecb6808d6de56a05211483d86fc6c7d17cda46c3388dd0c8139e4114ba8e61751e684c0e80001ccf2fae01
1ceca770147b6f7ac697ebdd0bbf9a56abb643ad56c72ef2b30a790000000000
0000000000790ab3f22ec756ad43b6ab569abf0bddeb97c67a6f7b1470a7ec1c

I guess I did some mistake in calculating sighashes, but I don't know exactly, where it is.

I know that SHA-1 is broken. However, we still have hardened SHA-1, used for example in Git, and in many other places. And as far as I know, the 130-bit public key on secp256k1 is still not sweeped from the puzzle. Which means, that by starting with SHA-1 as a Hashcash function, and with secp160k1 implementation of P2PK on compressed keys, it should be good enough for fully functional altcoin, right?

Because I have some questions, and that kind of experiment should answer them:

1. How could Bitcoin look like, if it would be deployed earlier?
2. How to upgrade the chain, if secp256k1 or SHA-256 will be unsafe?
3. What is the real progress on breaking public keys? Are we really at 130-bit key now, or maybe the creator just moved the funds?

Also, I wonder, which curves below secp160k1 can be used, to reach similar properties, as in Bitcoin. Or: how to prove, that a given public key was created out of N-bit private key, without revealing it?

Another thing is using secq256k1, as a mirror to secp256k1, and create an altcoin, which would just collect proofs, that Bitcoin transactions are signed correctly, by using some kind of Zero Knowledge Proof. And I guess the same can be done with secq160k1, right?

Now, people can prune blocks manually by using pruneblockchain command. Is it acceptable to implement unpruneblockchain, which will redownload missing blocks up to selected height? This command would succeed only if all hashes still matches (meaning there was no blockchain reorganization in pruned blocks and all UTXOs are still correct).