I wonder, if it is possible to emulate OP_CHECKSIGFROMSTACK, by using a properly constructed OP_CHECKMULTISIG, for example as a 2-of-2 multisig, where two signatures are given, and the whole task is to find a single public key, which will unlock both, at the same time.
A typical OP_CHECKMULTISIG works like that:
full script: OP_2 OP_2 OP_CHECKMULTISIG
input script:
output script: OP_2 OP_2 OP_CHECKMULTISIG
However, what if we can do instead:
full script: OP_TOALTSTACK OP_2 OP_FROMALTSTACK OP_DUP OP_2 OP_CHECKMULTISIG
input script:
output script: OP_TOALTSTACK OP_2 OP_FROMALTSTACK OP_DUP OP_2 OP_CHECKMULTISIG
And then, we can be sure, that z-value is identical in both signatures, so we can pick (r,s) pairs in a way, where if someone will provide the proper public key, it will be an equivalent of signing a given message.
s1=(z+r1*d)/k1
s2=(z+r2*d)/k2
s1*k1=z+r1*d
s2*k2=z+r2*d
z=(s1*k1)-(r1*d)
z=(s2*k2)-(r2*d)
d=((s1*k1)-z)/r1
d=((s2*k2)-z)/r2
Of course, that kind of construction will reveal all private keys. However, by putting the proper (r,s) pairs, it may be possible to put publicly known values here, and just use it as a calculator, which will work as a some kind of "multiply and add a given 256-bit number, by those values". Normally, a regular OP_CHECKSIG would be sufficient here, but OP_CHECKMULTISIG has a nice property of enforcing identical z-value in all signatures.
Or: maybe 3-of-3 multisig, or something bigger is needed, to make a proper OP_CHECKSIGFROMSTACK?
