1VayNert throwing away BTC

[BurtW]

Dear 1VayNert

It appears that you may have a bug in your transactions that is causing you to throw away 0.01 BTC on each transaction.  Thought you would like to know.

Example here:  http://blockexplorer.com/tx/9969603dca74d14d29d1d5f56b94c7872551607f8c2d6837ab9715c60721b50e

and http://blockexplorer.com/tx/8c8baf2e0529c0193ad3a583306a16fcc3e9cd271ba625e12bfd74261a46ad7c

[Gavin Andresen]

They're not throwing away 0.01 BTC, they just haven't redeemed them yet-- they're using valid-but-strange transactions.

[BTCurious]

Output script:

Code:

04678afd04678afd OP_DROP OP_SHA256 894eeb82f9a851f5d1cb1be3249f58bc8d259963832c5e7474a76f7a859ee95c OP_EQUAL

So as far as I understand it:
It drops this first string (04678afd04678afd) from the stack, so ignore that. Then it hashes (SHA256) the next thing on the stack, which would be in the input script you use. Then that should be equal to the 89...95c part.

So basically these outputs can be claimed by a password.

[theymos]

I'd guess the OP_DROP data is salt for the password.

Spends of these transactions could be intercepted and hijacked by miners. It would be better to do a regular public key transaction and attach the private key as AES-encrypted OP_DROP data. Another way might be to add a proof-of-work to the script so that miners don't have time to hijack the transaction before someone else includes it.

[BTCurious]

That makes sense.

Also, all those transactions* seem to have the same password, too, so he would need to spend all of them at the same time.

*At least the two examples posted. 2 is a representative data sample, no?

[DeepBit]

Another way might be to add a proof-of-work to the script so that miners don't have time to hijack the transaction before someone else includes it.

What do you mean by adding proof-of-work to the script ?

[BurtW]

Learning a lot.  Thanks.

[theymos]

What do you mean by adding proof-of-work to the script ?

Like this (using some disabled/not-yet-implemented Script features):

Code:

ScriptSig: password { [sig] [nonce] OP_DROP }

ScriptPubKey:
//give out the private key
[private key] OP_DROP

OP_3DUP OP_DUP

//check that scriptSig takes expected form
0 1 OP_SUBSTR 72 OP_EQUALVERIFY
73 1 OP_SUBSTR 4 OP_EQUALVERIFY
77 1 OP_SUBSTR { OP_DROP } OP_EQUALVERIFY
OP_SIZE 79 OP_NUMEQUALVERIFY

//check that the hash of scriptSig starts with many zeroes. This is indirectly a hash of the entire
//transaction, since the signature is on a hash of the transaction
OP_HASH256 0 10 OP_SUBSTR 0x00000000000000000000 OP_EQUALVERIFY

//verify signature
OP_EVAL
[pubKey] OP_CHECKSIGVERIFY

//check the password
OP_HASH256 [password hash] OP_EQUAL

({} denotes that something is in a string, not part of the script proper.)

With this, you need to do some "mining" after changing the transaction to make it valid.

[DeepBit]

What do you mean by adding proof-of-work to the script ?

Like this (using some disabled/not-yet-implemented Script features):
...
With this, you need to do some "mining" after changing the transaction to make it valid.

Wow, that's really cool :)
Sadly it can't be used because of disabled ops...

[BTCurious]

Doesn't Eligius accept non-standard scripts? Or is this really non-standard?

[theymos]

Doesn't Eligius accept non-standard scripts? Or is this really non-standard?

They would end up on a different network if they accepted this. The network doesn't recognize OP_SUBSTR anymore, and OP_EVAL isn't implemented yet (though it is planned).

The script I gave is inferior in every way that I can think of to just including an AES-encrypted private key with a standard transaction. I just wanted to illustrate the concept. Possibly there are better ways of doing transaction proof-of-works, though. Maybe you could do it by making public only parts of public keys, signatures, or private keys. It could certainly be better than AES encryption if there was a script op that output a hash of the non-Script parts of transactions: then you wouldn't have to use OP_CHECKSIG at all.

My script could be improved by leaving out the private key and having everyone use the same known keypair. Then it's only a little bigger than the encrypted-private-key method.

[BTCurious]

Well, the substr magic can be replaced by an OP_WITHIN, where it should be within 0x00000000000000 and 0x00000001000000 for example. That would circumvent the OP_SUBSTR, while achieving the same result, right?

[DeepBit]

Would be nice to test for zeroes with OP_LESSTHAN which is allowed, but it's limited to 32 bits only, just as OP_DIV and OP_RSHIFT (both are disabled) :(

Sadly most useful ops are either disabled or crippled by 4 bytes limit.

Well, the substr magic can be replaced by an OP_WITHIN, where it should be within 0x00000000000000 and 0x00000001000000 for example. That would circumvent the OP_SUBSTR, while achieving the same result, right?

No, OP_WITHIN is limited to 32 bit numbers, so it can only work within 0x000000 and 0xFFFFFFFF, a maximum subset is 4 294 967 295 of sha256's output space (around ~0.0000000000000000000000000000000000000000000000000000000000000000000037%)
(not sure about that)

[DeepBit]

Finally redeemed :)
The new TX wasn't even considered strange by the network.

http://blockexplorer.com/tx/9969603dca74d14d29d1d5f56b94c7872551607f8c2d6837ab9715c60721b50e#o2

[sebastian]

theymos: why add the private key AES encrypted when you just can SHA256(password) (like mini-private-keys) and use that as private key?
Then you tell the legit whoever that should be able to access those coins on how you redeem them.

[theymos]

theymos: why add the private key AES encrypted when you just can SHA256(password) (like mini-private-keys) and use that as private key?
Then you tell the legit whoever that should be able to access those coins on how you redeem them.

Probably that is always better than AES encryption.