Can we construct a UTXO which is spendable only via proof of work?

9

3

Do the current Bitcoin opcodes and transaction size limit allow constructing a UTXO which is only spendable if a specified amount of work has been performed?

So the spender, would provide a nonce as input to the script. Then the script would essentially perform a highly simplified version of how bitcoin's block headers are verified (the nonce is combined with some other data, hashed, and the hash is compared with a "target.").

Without OP_CAT and with arithmetic limited to 4 byte inputs, do I understand correctly that the above would be impossible? Or is there some workaround?

philbw4

Posted 2019-10-17T23:44:15.940

Reputation: 327

4You could add an op return to your tx with the first 200 bits of the private key. A spender would have to grind the last 56 bits until they find the right private key to sign with. Combine with multisig or Schnorr tweak to target a single recipient!pinhead 2019-10-18T03:50:10.503

@pinhead thanks! That's a clever way to do it. Indeed it would require proof of work to uncover the key. However, in this case everyone would be guaranteed to ultimately end up with essentially the same "nonce" (which is just the full private key), so wouldn't a mainchain miner just be able to steal the reward?

Or, put another way, can you clarify what you mean about using, for example, multisig so that it targets a single recipient? Namely whoever put in the work but also in a manner that the original UTXO didn't need to know who the set of potential workers is. Is this making sense? – philbw4 2019-10-18T04:03:42.160

2Hm that's hard. Miners can steal anything that's not signed. My thought was you could send to a 2of2 multisig where one key is a known recipient and the other key must be brute forced (by that recipient) A miner wouldn't be able to steal that.pinhead 2019-10-18T04:07:12.943

Again, thank you very much for your answer. This is extremely helpful. So the challenge have with that construction (the 2of2 method you proposed) is that I would need to know the key of the recipient ahead of time which is not what I want. Is there a way we can sort of chain a series of these types of transactions together to accomplish that?philbw4 2019-10-18T04:16:40.657

What is the application of this? I’m curious to know what you’re trying to accomplishchytrik 2019-10-18T22:12:22.110

hi @chytrik, thanks for your interest. There are a couple applications I can think of. The primary one I'm most interested in though is eluded to in my other question here https://bitcoin.stackexchange.com/questions/91069/are-there-any-slow-sidechains-what-are-the-tradeoffs Basically I want to determine if there is any way whatsoever that bitcoin as-is could verify even a single block header of a purely proof-of-work (as opposed to federated) sidechain. The question here then is just a reduced form of that question.

philbw4 2019-10-18T22:24:20.250

Answers

0

This talk gives you one way to do it. Also you don't have to write script. You can write sCrypt in an IDE.

sinoTrinity

Posted 2019-10-17T23:44:15.940

Reputation: 147

Thank you for your answer. However, the links you provide do not pertain to the bitcoin network I asked about but instead to a fork of a fork of BTC. Are you suggesting that these tools can also be used on BTC as-is?philbw4 2019-10-23T05:04:20.163

No. If you look into it, it is much more aligned with the original bitcoin than BTC.

sinoTrinity 2019-10-23T06:39:04.757

1I understand what you are saying but, again, my question (and this forum itself) is generally for questions about BTC, not other networks. If you are aware of a solution to my question that works on BTC, please feel free to edit your answer. However, for now I will mark it as not helpful so as to not confuse others. Thanks again for taking the time to answer though.philbw4 2019-10-23T22:09:38.057

Asked: 2019-10-17T23:44:15.940

Viewed: 124 times

Active: 2019-11-22T05:00:24.160