|
Title: Some magic? Post by: amaclin on December 26, 2016, 07:12:19 PM Can anyone explain the
0895e97e9c4ce7ebe04e15e0835bb0788053fbfdbbb2f3f25f81631687d7b857 https://test.webbtc.com/script/0895e97e9c4ce7ebe04e15e0835bb0788053fbfdbbb2f3f25f81631687d7b857:0 Code: OP_DUP (I am too lazy to research everything myself. But this transaction is the most beautiful one in the blockchain I think) Title: Re: Some magic? Post by: gmaxwell on December 26, 2016, 10:38:33 PM An ECDSA signature itself does not prove knowledge of a discrete log.
You can pick a random message and a random signature then compute the public key this signature,message pair would be valid for. To accomplish this, you must-- of course-- make sure the message does not contain any commitment to the public key. Bitcoin's signatures include a commitment to the scriptPubkey-- but nothing requires you to have the EC public key there. This cute construction is not secure: if you'd seen that txn before confirmation you could have modified the destination and computed a new pubkey. If you take a look at Roconnor's covenants post (https://blockstream.com/2016/11/02/covenants-in-elements-alpha.html) you'll see he uses the same kind of pubkey recovery to turn checksig into an operation for verifying a hash of the masked transaction-- which otherwise the script doesn't have access to. Title: Re: Some magic? Post by: DannyHamilton on December 28, 2016, 01:28:35 AM An ECDSA signature itself does not prove knowledge of a discrete log. You can pick a random message and a random signature then compute the public key this signature,message pair would be valid for. To accomplish this, you must-- of course-- make sure the message does not contain any commitment to the public key. Bitcoin's signatures include a commitment to the scriptPubkey-- but nothing requires you to have the EC public key there. This cute construction is not secure: if you'd seen that txn before confirmation you could have modified the destination and computed a new pubkey. If you take a look at Roconnor's covenants post (https://blockstream.com/2016/11/02/covenants-in-elements-alpha.html) you'll see he uses the same kind of pubkey recovery to turn checksig into an operation for verifying a hash of the masked transaction-- which otherwise the script doesn't have access to. amaclin already knew all of this, and almost certainly created this transaction himself. Thank you for taking the time to explain it to everyone else that looks at this thread. Title: Re: Some magic? Post by: amaclin on December 28, 2016, 07:24:41 AM amaclin already knew all of this, Not all, but the best way to study and teach is asking questions.and almost certainly created this transaction himself. You are wrong.You can google the txid and find the creator. His nickname is "arubi" Title: Re: Some magic? Post by: DannyHamilton on December 28, 2016, 03:32:09 PM amaclin already knew all of this, Not all, but the best way to study and teach is asking questions.and almost certainly created this transaction himself. You are wrong.Perhaps. Perhaps not. But it wouldn't be the first time you posted something here wanting someone to explain what you created rather than explaining it yourself. You can google the txid and find the creator. His nickname is "arubi" Certainly, but I can't tell whether you are "arubi" or not. Title: Re: Some magic? Post by: amaclin on December 28, 2016, 03:43:57 PM But it wouldn't be the first time you posted something here wanting someone to explain Is it forbidden by national laws, forum rules or religious ethics? ;DLet's assume that I am a school teacher. Most of teachers ask the questions already knowing the answers. The best of them ask questions without a knowledge of correct answer. The point is to teach the students about something new and interesting. If you are not interested in bitcoin script abilities you can chat in 'Marketplace' section of this forum about bitcoin price on exchanges. By the way. Can you explain in terms of addition/multiplication on EC how to create such address? I am still looking for the answer. Title: Re: Some magic? Post by: piotr_n on December 28, 2016, 05:33:32 PM I found it interesting.
Thanks for starting this topic, @amaclin It intrigued me how one can make a valid signature before having the message. Thanks for explaining, @gmaxwell Title: Re: Some magic? Post by: gmaxwell on December 28, 2016, 10:59:27 PM Arubi doesn't have a bitcointalk account, and saw others being blamed for their transaction and asked me to post this:
Code: mw1vkYok3eGrccuMx5Ztbj3RH6Pyrb8b8z H5Fm9/Ejebxv5KybIf+hUgGcubVp3B6bxcl7RVMLUS7EABFn75VsV+S+sNW5Oc02M/awPv8tHAeIS+PJtU5qVyA= "I am not amaclin :) : https://gist.github.com/fivepiece/f39de978f5fb94b08b54f33db5e42d9a - arubi" Title: Re: Some magic? Post by: amaclin on January 08, 2017, 02:06:00 PM even more
testnet address: 2N1L2bubWhfQd7ZkV31fw9VnFt45bHGZ39n I've spent couple of days to resolve the same problem as https://github.com/bitcoin-core/secp256k1/issues/419 and finally got it https://testnet.smartbit.com.au/tx/c6c232a36395fa338da458b86ff1327395a9afc28c5d2daa4273e410089fd433 Title: Re: Some magic? Post by: DuddlyDoRight on January 08, 2017, 05:13:01 PM You could probably make an attack using this by just implementing a passive handler in some mining software and having decent throughput to increase probability of being first if anyone ever uses it.
I was looking in to similar stuff a while back when I was basically fuzzing whitelisted blockchain scripts.. It kind of falls under the throughput prerequisite like double spending does though.. It'd probably be a waste of time though because only devs would put something like this out there and they wouldn't do it with anything profitable.. An attacker would be better off looking for memory corruption in block handlers of popular wallet software.. Title: Re: Some magic? Post by: arubi on January 11, 2017, 11:26:38 AM mw1vkYok3eGrccuMx5Ztbj3RH6Pyrb8b8z ILuXAeNs5Huml35IlLrDRP2aMTjdSOH7Lcx2NzN6xdy1fvNlcluhEQdlcOE8l4TmsX5pXmvC/dXoa/pMenmBBx8= "thank you gmaxwell for passing this message for me: https://bitcointalk.org/index.php?topic=1729534.msg17330531#msg17330531. I have registered 'arubi' in bitcointalk." even more testnet address: 2N1L2bubWhfQd7ZkV31fw9VnFt45bHGZ39n I've spent couple of days to resolve the same problem as https://github.com/bitcoin-core/secp256k1/issues/419 and finally got it https://testnet.smartbit.com.au/tx/c6c232a36395fa338da458b86ff1327395a9afc28c5d2daa4273e410089fd433 Code: 21026D2204A9535443657A88A0724FBD49A0E78D305F50A82F2CC9DD9BEA10A6C5CD0C093006020101020101017CAC Code: 0x21 026D2204A9535443657A88A0724FBD49A0E78D305F50A82F2CC9DD9BEA10A6C5CD Title: Re: Some magic? Post by: amaclin on January 11, 2017, 11:31:36 AM So no actual checksig is being done, it's just push only script that anyone can spend (by knowing the preimage to the hash160 of the p2sh address!). checksig is there :)try to Code: decodescript 093006020101020101017CAC Title: Re: Some magic? Post by: arubi on January 11, 2017, 11:36:59 AM So no actual checksig is being done, it's just push only script that anyone can spend (by knowing the preimage to the hash160 of the p2sh address!). checksig is there :)try to Code: decodescript 093006020101020101017CAC Ah of course, my bad :) I mistreated the whole script as the redeemscript. 2N1L2bubWhfQd7ZkV31fw9VnFt45bHGZ39n == p2sh(093006020101020101017CAC) You're correct. Title: Re: Some magic? Post by: arubi on January 11, 2017, 12:52:56 PM How about some more related magic?
Code: bitcoin-cli -testnet verifymessage n3pipvo2QLdpA7fT6rdxpK4SwtQMU7NjTW HwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE= "more magic!" But also.. Code: moRMb9NywwQK11DGACpbyCnF9PHUYi4T8j GwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE= "more magic!" And even.. Code: mhiPJJ6S8a4esoZ5vg7sLr8CUQ4ucAiJh4 IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE= "more magic!" Four addresses that return true for validating the same signature and message, this is expected, but then... Code: mfrhby2UMRhbRtH9b6eojUzJmKz2Cv3jeZ GwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!" Title: Re: Some magic? Post by: amaclin on January 11, 2017, 12:58:59 PM I do not know how the digest is calculated for bitcoin messages.
But your eight signatures do not seem "the same". So, this is not real magic ;D Title: Re: Some magic? Post by: arubi on January 11, 2017, 01:10:24 PM All 4 in the begnning are the same ( r=1, s=1), and all 8 afterwards are the same (r=4, s=4):
Code: 1b 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004 The first byte is something Core prepends to the signature, but is not part of it (it is not signed also) |