|
Title: The smallest valid signature Post by: vjudeu on November 29, 2021, 02:08:52 PM Because of a bug in SIGHASH_SINGLE, it is possible to precompute a signature for some unknown key, where:
z=0100000000000000000000000000000000000000000000000000000000000000 r=0000000000000000000000000000000000000000000000000000000000000001 s=0000000000000000000000000000000000000000000000000000000000000001 For those three values, it is possible to find some public key: Q=032baf163f5e27261ab3228e61fb86dc98054abd514751fce93d7444e8fbc6a293 Then, our scriptSig is equal to 09300602010102010103. That's the smallest signature I can think of, because r=1 and s=1, so our scriptSig has only 10 bytes! This signature is valid and was confirmed in testnet transaction 3952b35bde53eb3f4871824f0b6b8c5ad25ca84ce83f04eb1c1d69b83ad6e448. The private key for such public key is unknown, but the signature is valid for SIGHASH_SINGLE. Is it possible to do the same for SIGHASH_ALL if we assume that setting any z-value is possible and that we can change our public key to any value? Title: Re: The smallest valid signature Post by: garlonicon on November 29, 2021, 06:24:46 PM Quote Is it possible to do the same for SIGHASH_ALL if we assume that setting any z-value is possible and that we can change our public key to any value? It depends. If you have to sign your public key (or a hash of that key, or some previous transaction output where you have to know that key) then no. But if you can use any public key, then it is possible. I can imagine some weird script with constant signature and variable public key, something like "OP_OVER 300602010102010101 OP_EQUALVERIFY OP_CHECKSIG", then you can make a transaction, get your z-value and put your matching public key in such script.Also note you can do such things in Bitcoin Message: Code: message="Hello World" |