contract BitcoinAuth =
  record state = { nonce : int, owner : bytes(64) }

  function init(owner' : bytes(64)) = { nonce = 1, owner = owner' }

  function authorize(n : int, s : signature) : bool =
    require(n >= state.nonce, "Nonce too low")
    require(n =< state.nonce, "Nonce too high")
    put(state{ nonce = n + 1 })
    switch(Auth.tx_hash)
      None          => abort("Not in Auth context")
      Some(tx_hash) => Crypto.ecverify_secp256k1(to_sign(tx_hash, n), state.owner, s)

  function to_sign(h : hash, n : int) : hash =
    Crypto.blake2b((h, n))

  private function require(b : bool, err : string) =
    if(!b) abort(err)