That sounds fascinating. So the scripting language is fully enabled at the moment? I thought it was present but lobotomized.
The script functionality is limited. Some commands are disabled. It's still possible to do some interesting things with it, though.
Could you talk us through the little script you published?
I realized that the OP_DUP in my script is redundant. Take that out.
When you redeem, you publish the signature and the code (in that order). They are prepended to the script I wrote. To determine whether your transaction is valid, nodes go through these steps (moving left-to-right through the full script):
1. The signature, code, and private key are put on the stack.
2. The private key is discarded (OP_DROP). This is just data meant to be read by the person making the transaction, and is not necessary for verification.
3. The top code is replaced by a hashed version (OP_HASH256).
4. The real hashed code is put on the stack.
5. The the top two items on the stack (the hash of the real code and the hash of the provided code) are compared, and then these items removed (OP_EQUALVERIFY).
6. The public key is put on the stack.
7. The signature is compared to the public key (OP_CHECKSIG).
The script will evaluate to true if the provided signature is valid for the public key in the later part of the script (scriptPubKey) and the hash of the provided code is equal to the hash in the scriptPubKey.
I presume that this requires new clients?
Yes. Only the sender and recipient need to upgrade, though.
I disagree very strongly. I believe the computations you mention could be done in much less time than network latancies.
An attacker probably would win at that point usually. However, the question is whether the full private key can be recovered with a cost less than the cost of the number of bitcoins transmitted, and in less time than it takes for the code to be used by the intended recipient. Hopefully any attack would be too expensive. I am not familiar with partial-key attacks, though; it could very well be a trivial matter to recover a private key when you have 90% of it.
I don't understand how this links with the previous bit of your post. Please explain.
I'm trying to figure out the required length for the code. This is a similar case to figuring out appropriate password length, but with the important difference that each byte has much more entropy.
What scripting functions would need to be added to support it?
I just realized that this is possible now! I thought that all of the arithmetic functions were disabled, but actually only some of them are. You would use a script like this:
OP_DROP OP_HASH256 OP_EQUALVERIFY OP_DUP OP_LESSTHAN OP_IF OP_CHECKSIG OP_ENDIF The person redeeming provides a signature and a code (in that order). It would evaluate like this:
1. The signature, code, and private key are put on the stack.
2. The private key is removed (OP_DROP).
3. The code is hashed (OP_HASH256).
4. The real code is put on the stack.
5. The real code is compared to the provided code, and both are removed (OP_EQUALVERIFY).
6. The signature is duplicated on the stack (OP_DUP).
7. The target is put on the stack.
8. If the signature is less than the target, 1 is put on the stack. Otherwise 0. Both items are removed.
9. If 1 is the the top item on the stack, go to 10 and 11. Otherwise, the transaction will not be valid.
10. The public key is put on the stack.
11. The signature is compared to the public key (OP_CHECKSIG).
This is assuming the signature can be converted into a bignum. Otherwise I think we'd need OP_SUBSTR, which is disabled.
So I believe it is right now possible (with a modified client) to transfer bitcoins using an ~8-character code! It'd probably even be safe to reduce that to 6 characters.