Not sure I understand you correctly. This procedure should enforce the message to be the
- In step1 it is obviously the case.
- In step2 m=z is enforced with Andrew’s CAT trick. It can be used as a primitive to push the sighash digest onto the stack. (Of course, you have to check here that the signature is exactly 64 bytes, implicitly enforcing SIGHASH_ALL.)
I don’t see how your attack breaks that.
That’s a misunderstanding. I do not want to introduce any opcode.
My main point is that OP_CAT can reduce scalar multiplication for curve points to a single subtraction of field elements. That in itself is an interesting result.
Furthermore, I estimate that (given CAT) we probably can already implement subtraction of field elements in less than 250 opcodes. Definitely seems to be trivially possible when using kilobytes of Script. That’s why I thought it’s fair to assume op_secp256k1_scalar_sub as given, to then show the main point.