7

Let's say my Bitcoin address is 1Nu5mzpUD9A7daZ76QJEsBfkBjCWVLh7pJ and I sign the message random-challenge with its private key.

The result is :

IAjU1mpvy70Li2Q1jDaNJKaQudaAJia1oF9SYJ8HGGuNffT9ERmc77WgPMONPLHKAhO8d0bhDF5Nvn+AUzS6R04=

Bitcoin uses a unique property of ECDSQ which allow to calculate the public key from the message and signature. So if I send to the recipient the above message and signatures he/she will be able to get my address 1Nu5mzpUD9A7daZ76QJEsBfkBjCWVLh7pJ

Now, if I send the same signature and a completely different message, will it derive all the time a valid random Bitcoin address ? And if yes, doesn't this have some serious security implication allowing people to prove they control an address without having the private key ?

EricLarch
  • 195
  • 5
  • 1
    If you change the message, the signature won't verify. You might be able to compute a value that looks like an address, but nobody will believe it's an address that you control. – Nate Eldredge Apr 03 '14 at 15:23
  • How can they make the difference between a real address and an address (valid) that I forged/extracted from the message and signature ? – EricLarch Apr 03 '14 at 15:37
  • No, that's what I'm saying. You don't tell the difference by looking at the address, but by seeing whether the signature verifies correctly. – Nate Eldredge Apr 03 '14 at 15:39
  • But it does verify ! I took a valid signature, I took a random message, and I found an address where verify_signature(signature, random message, forged address) is true – EricLarch Apr 03 '14 at 15:43
  • I may not be understanding what you are doing. Can you give a complete example? – Nate Eldredge Apr 03 '14 at 19:26
  • I found this relevant post on Crypto.SE, in which they conclude that an analogous attack against RSA is (sort of) feasible: given a signature S (that signed some message M1 using a secret key K1) and a second message M2 of your choice, you may be able to find a key K2 such that S validates as a good signature of M2 by K2. There's no discussion of the ramifications, but Crypto.SE might be a good forum for more expert opinions. – Nate Eldredge Apr 12 '14 at 03:49
  • I asked a new question about this on Crypto.SE: http://crypto.stackexchange.com/questions/15538/given-a-message-and-signature-find-a-public-key-that-makes-the-signature-valid – Nate Eldredge Apr 12 '14 at 04:01

1 Answers1

5

Now, if I send the same signature and a completely different message, will it derive all the time a valid random Bitcoin address ?

Yes.

And if yes, doesn't this have some serious security implication allowing people to prove they control an address without having the private key ?

No. In order to prove you control an address, you must do much more than just produce a signature generated by that address. Otherwise, if you were in possession of anyone else's proof, you could claim it as your own.

The validation process consists of three steps:

1) Ensure the signature correctly signs the message.

2) Ensure the public key used for the signatures matches the Bitcoin address you are expecting proof of.

3) Make sure the signed payload actually proves the person you think controls the address.

Your mutilation would break step 1. Since you're changing the message, the signature no longer signs the message.

The verifymessage command does steps 1 and 2. Step 3 must be done by higher-level code depending on the context.

David Schwartz
  • 51,554
  • 6
  • 106
  • 178