dgpv/scripts-that-reveal-privkey Secret

## scripts-that-reveal-privkey
Two scripts that could be used for atomic swaps via disclosure of certain privkey

The one with CODESEPARATOR could be used on Bitcoin (with segwit)
The one with CHECKSIGFROMSTACK could be used on Elements

Note: Using this (https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-December/016594.html):
Input: <S> Script: <known R> SWAP CAT <key> CHECKSIG
The script would be even shorter on Elements


Swap contract that <was incorrectly thought to> force R reuse via OP_CODESEPARATOR:
# EDIT: this does not actually force R reuse ! It needs something else for this.
#       The signer can use different nonces for the two signatures, and there are no checks for this
#       I am not aware how to achieve this without the size-trick with known-small R or without opcodes
#       like OP_CAT, OP_LEFT, OP_AND that are diabled on bitcoin.

       OP_IF,
                       # At the start (after TRUE was consumed by IF):
                       # sig1 sig2 buyer_sig
            reveal_key_pubkey,
                       # rpub sig1 sig2 buyer_sig
            OP_TUCK,   # rpub sig1 rpub sig2 buyer_sig
            OP_CHECKSIGVERIFY,
                       # rpub sig2 buyer_sig
            OP_CODESEPARATOR,
            # NOTE: second sighash will be calculated with script truncated at this point
            # it will include only opcodes below this point
            OP_CHECKSIGVERIFY,
                       # buyer_sig
            buyer_pubkey,
                       # buyer_pubkey buyer_sig
        OP_ELSE,
            elements_contract_timeout, OP_CHECKSEQUENCEVERIFY,
            OP_DROP,
            seller_pubkey,
        OP_ENDIF,
        OP_CHECKSIG

Swap contract that forces R reuse via CHECKSIGFROMSTACK:

       OP_IF,
                       # At the start (after TRUE was consumed by IF):
                       # sig_prefix sig_suffix buyer_sig
            r,         # sig_r sig_prefix sig_suffix buyer_sig
            OP_CAT,    # sig_prefix+sig_r sig_suffix buyer_sig
            OP_SWAP,   # sig_suffix sig_prefix+sig_r buyer_sig
            OP_CAT,    # sig buyer_sig
            1,         # msg sig buyer_sig
            reveal_key_pubkey,
                       # rpub msg sig buyer_sig
            OP_CHECKSIGFROMSTACKVERIFY,
                       # buyer_sig
            buyer_pubkey,
                       # buyer_pubkey buyer_sig
        OP_ELSE,
            elements_contract_timeout, OP_CHECKSEQUENCEVERIFY,
            OP_DROP,
            seller_pubkey,
        OP_ENDIF,
        OP_CHECKSIG
	Two scripts that could be used for atomic swaps via disclosure of certain privkey

	The one with CODESEPARATOR could be used on Bitcoin (with segwit)
	The one with CHECKSIGFROMSTACK could be used on Elements

	Note: Using this (https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-December/016594.html):
	Input: <S> Script: <known R> SWAP CAT <key> CHECKSIG
	The script would be even shorter on Elements


	Swap contract that <was incorrectly thought to> force R reuse via OP_CODESEPARATOR:
	# EDIT: this does not actually force R reuse ! It needs something else for this.
	# The signer can use different nonces for the two signatures, and there are no checks for this
	# I am not aware how to achieve this without the size-trick with known-small R or without opcodes
	# like OP_CAT, OP_LEFT, OP_AND that are diabled on bitcoin.

	OP_IF,
	# At the start (after TRUE was consumed by IF):
	# sig1 sig2 buyer_sig
	reveal_key_pubkey,
	# rpub sig1 sig2 buyer_sig
	OP_TUCK, # rpub sig1 rpub sig2 buyer_sig
	OP_CHECKSIGVERIFY,
	# rpub sig2 buyer_sig
	OP_CODESEPARATOR,
	# NOTE: second sighash will be calculated with script truncated at this point
	# it will include only opcodes below this point
	OP_CHECKSIGVERIFY,
	# buyer_sig
	buyer_pubkey,
	# buyer_pubkey buyer_sig
	OP_ELSE,
	elements_contract_timeout, OP_CHECKSEQUENCEVERIFY,
	OP_DROP,
	seller_pubkey,
	OP_ENDIF,
	OP_CHECKSIG

	Swap contract that forces R reuse via CHECKSIGFROMSTACK:

	OP_IF,
	# At the start (after TRUE was consumed by IF):
	# sig_prefix sig_suffix buyer_sig
	r, # sig_r sig_prefix sig_suffix buyer_sig
	OP_CAT, # sig_prefix+sig_r sig_suffix buyer_sig
	OP_SWAP, # sig_suffix sig_prefix+sig_r buyer_sig
	OP_CAT, # sig buyer_sig
	1, # msg sig buyer_sig
	reveal_key_pubkey,
	# rpub msg sig buyer_sig
	OP_CHECKSIGFROMSTACKVERIFY,
	# buyer_sig
	buyer_pubkey,
	# buyer_pubkey buyer_sig
	OP_ELSE,
	elements_contract_timeout, OP_CHECKSEQUENCEVERIFY,
	OP_DROP,
	seller_pubkey,
	OP_ENDIF,
	OP_CHECKSIG