Is the following idea possible in Bitcoin's Script?

[CIYAM]

What I am wanting to create is a Bitcoin script that will do the following:

- check <data1> against <sig1>
- check <data2> against <sig2>

then only redeem if both sig checks work but *additionally* I need it to ensure that <data1> is identical to <data2> and that <sig1> is different to <sig2>.

Is this even possible?

[DannyHamilton]

I'd think it should be possible with some combination of one or more OP_DUP, OP_EQUAL, OP_VERIFY, OP_EQUALVERIFY, OP_CHECKSIGVERIFY, and OP_NOT.  I'd have to think about it to see if I could come up with the exact script, but I'd be surprised if it couldn't be done.


OP_EQUAL, OP_NOT, and OP_VERIFY should be able to determine if sig1 and sig2 are different, right?
OP_EQUALVERIFY should be able to determine if data1 and data2 are the same, right?
OP_CHECKSIGVERIFY should be able to determine if the signatures are valid, right?
OP_DUP should allow you to duplicate values as needed in the stack so that they can be used in more than one comparison, right?

Maybe I'll play around with this a bit tonight.

[CIYAM]

I'd think it should be possible with some combination of one or more OP_DUP, OP_EQUAL, OP_EQUALVERIFY, OP_CHECKSIGVERIFY, and OP_NOT.  I'd have to think about it to see if I could come up with the exact script, but I'd be surprised if it couldn't be done.

Hey @DannyHamilton - great to see that you are still here.

I don't think that this is going to be an easy problem to solve and I might offer a BTC reward for the solution (but no point in offering a reward if the problem is not solvable).

[DannyHamilton]

I'd think it should be possible with some combination of one or more OP_DUP, OP_EQUAL, OP_EQUALVERIFY, OP_CHECKSIGVERIFY, and OP_NOT.  I'd have to think about it to see if I could come up with the exact script, but I'd be surprised if it couldn't be done.

Hey @DannyHamilton - great to see that you are still here.

Yeah, I'm trying really hard to cut back on the time I spend here, but I just haven't been able to make a clean break yet.

I don't think that this is going to be an easy problem to solve and I might offer a BTC reward for the solution (but no point in offering a reward if the problem is not solvable).

If it was an easy problem, I'd think you'd have already figured it out on your own, but I've got a gut feel that it *should* be possible.  I may be wrong on that, but it doesn't feel impossible.

[mmeijeri]

You can't check signatures against arbitrary data. Blockstream has a new opcode CHECKSIGFROMSTACK that allows it in Elements alpha, and that might find its way into Core reasonably soon.

[DannyHamilton]

- snip -
can't check signatures against arbitrary data.
- snip -

Bah.  I hadn't even thought of that.  OP_CHECKSIGVERIFY is going to check the signature against the transaction, not the supplied data.  Hmm.  Maybe not possible after all.  Going to have to really think about this one, but I'm much less confident all of the sudden.

[kiblirov]

It is not solvable with the current OP_ commands we have. Core level implementation is mandatory to make it possible. If you really think it is vital to have such comparisons, then you need to make it happen. I would prefer if you would award a bounty, then many will try to write the code. It will be possible. Nothing can be said impossible in the bitcoin era.

[CIYAM]

The concept is related to my own blockchain R&D and so perhaps not relevant to other uses.

If possible the idea would be to create a P2SH address that has this special script in it which can be redeemed if (and only if) the private key holder signs two messages (it is basically a higher-level mechanism to prevent attempts and double-spends in a non-POW implementation).

Assuming we have a simple message such as:

<public key>
<block height>
<signature>

then if a block creator was to create two blocks at the same height (which would require the same public key due to other mechanisms) then if some funds had been stored in the P2SH address to redeem then anyone could take those funds at that point in time.

I think the idea might not be really very practical anyway as the block creator themselves would be the first person to attempt to spend the funds so it is probably going to require a bit more thought.

[DannyHamilton]

-unknowledgeable nonsense?-

Reported as sig ad spam.

CIYAM, I'm thinking I'll make all threads that I start "self-moderated" as a way to reduce the amount of sig ad spam in my threads.

[CIYAM]

CIYAM, I'm thinking I'll make all threads that I start "self-moderated" as a way to reduce the amount of sig ad spam in my threads.

Yup - mostly the ad sig spammers had kept away from the tech. discussion and project boards (where I pretty much only post nowdays) but it appears that now they won't even respect those two boards.

[Kefkius]

What I am wanting to create is a Bitcoin script that will do the following:

- check <data1> against <sig1>
- check <data2> against <sig2>

then only redeem if both sig checks work but *additionally* I need it to ensure that <data1> is identical to <data2> and that <sig1> is different to <sig2>.

Is this even possible?

If <data1> must be identical to <data2>, then essentially aren't you saying that you require two the following:

- check <data> against <sig1>
- check <data> against <sig2>

Though it seems roundabout, OP_CHECKMULTISIG could potentially be used. If you put <data> in a null output and require 2-of-2 signatures that sign the output, then in effect that would mean <sig1> and <sig2> have to be valid signatures of <data>.

Here's my cursory attempt. The problem with it (in addition to whatever problems I don't see) is that the scriptPubKey doesn't pass the "is_p2sh()" test since it's not "OP_HASH160 <20 bytes> OP_EQUAL". Since I'm not sure how far you're willing to go from Bitcoin in your endeavor, I figure I'll include this anyway.

redeemScript:

Code:

2 <sig1Pubkey> <sig2Pubkey> 2 OP_CHECKMULTISIG

scriptSig:

Code:

0 <sig1> <sig2> <serializedRedeemScript>

scriptPubKey:

Code:

// This part copies <sig1> and <sig2> to the alt stack for later.
2 OP_PICK OP_TOALTSTACK 1 OP_PICK OP_TOALTSTACK

// Normal P2SH stuff.
OP_HASH160 <redeemScriptHash> OP_EQUAL

// Bring <sig1> and <sig2> back from the alt stack. The top stack item will be true if they are not equal.
OP_FROMALTSTACK OP_FROMALTSTACK OP_EQUAL OP_NOT

At any rate, hopefully this will give you some ideas.

[CIYAM]

At any rate, hopefully this will give you some ideas.

Indeed - thanks for the input.

[dagelf]

What I am wanting to create is a Bitcoin script that will do the following:

- check <data1> against <sig1>
- check <data2> against <sig2>

What's your use case? Perhaps there's a simpler solution...

[CIYAM]

What's your use case? Perhaps there's a simpler solution...

It's perhaps a little strange - but what I have been considering is the idea of how to ensure that the same address is not used twice as a sort of contract.

So if two signatures can be tied to the same public key then that would release funds that perhaps otherwise would be CLTV refundable.