Bitcoin Forum

 How to prove to someone that an Bitcoin address (or UTXO) belongs to you?

 Are there  (ZK) methods to prove it?

 Does anyone know?
 

Sign a message with your Bitcoin address.

How to sign a message?! (https://bitcointalk.org/index.php?topic=990345.0)

You need to:
1- generate a new address/wallet
2- announce the address to other party
3- transfer funds from the original utxo to new address

Note: Signing a message with your private key is not safe because you need to disclose the corresponding pubkey (which your address is its RIPEMD-160 hash).

As aliashraf said, it is better to send a small amount of btc (dust) you agree on on advance to a new address generated by the other party.

I don't think exposing your pubkey by signing a message is a real risk though, at least for now, but "better be safe than sorry".

After reading the response about signing an address, is it really risky exposing pubkey? I mean even with the Quantum Computing? Just wanted to 100% sure coz I see people sign their address to prove ownership of the address and I have done that to in several occasions.

And I bet most of us did the same.

Although QC is not commercially available for now in cases that the wallet holds large amounts of bitcoin and is supposed to be untouched for years (like Satoshi's wallets) disclosing public key is not recommended because:

1- Bitcoin uses ECDSA 256k1 which is not considered very strong compared to electronic signature schemes currently employed with 2048 bits length and more. Besides QC, traditional supercomputers and sophisticated algorithms increasingly push for breaking longer and longer key lengths in feasible time.

2- Many implementation bugs have been identified (and fixed, thanks god) in ECDSA key generation libraries that allow hackers to run side channel attacks against them, there is no guarantee for this not to occur again, a disclosed public key provides the basis and multiple instances of signed messages escalates the problem.

3- Many authors have suggested conspiracy theories about NSA implementing back doors in the whole ECDSA algorithm and/or related software/hardware.

No risk to expose the pubkey. No powerful enough quantum computer exists today. Creating a true 256 qbit register is technically as hard as solving ECDLP256 with a classic supercomputer. If you consider a specific supercomputer (based on ASIC dedicated to ECC) with an equivalent power of the whole BTC network, solving a single key would require several billion years.

QC is not the problem (not now) but your estimate about "billions of years" is not correct. There are good reasons to avoid re-using bitcoin addresses:

Breaking ESDA is about prime factorization and not brute forcing sha2, hence it has nothing to do with ASICs used in bitcoin network. It is an active research field in mathematics and although it is hard to believe in discovery of a magical algorithm improvements are absolutely possible. Meanwhile Moore law is still working and attack costs are decreasing constantly.

More importantly, it is not just about the algorithm itself, side channel/implementation dependent attacks are another serious class of threats.

And we have conspiracy theories about NSA and its history of implanting back doors in its products.

Finally, there is no reason to encourage disclosure of public keys and becoming exposed to various range of potential attacks specially when it comes to sensitive utxos which are supposed to stay live for long times and hold significant amounts of bitcoin.

this method is not good at all because first of all it forces you to create an unnecessary on-chain transaction and pay fees, specially nowadays that fees are shooting up again.
secondly it is not reliable since it can be faked. you have no way of knowing whether the sending address or receiving address belong to the person trying to prove ownership.

you don't exactly disclose your pubkey, not directly anyways. you only reveal your signature and  your public key can be found from that. and more importantly you can NOT call it "not safe" because it is perfectly safe, as safe as millions of translations that have been made so far. in other words just because some day ECDSA may be broken doesn't mean it is not safe today.

This was just a comparison, if you consider having an equivalent power to the whole BTC network with ASIC dedicated to ECC (not SHA2) , breaking a single key would require several billions of years using the faster algorithm known today.
I agree with you, the most probable thing is that someone find the way to solve ECDLP in polynomial time and space, in that case, bitcoin would die immediately.


In that case, your address is also not safe.


Don't worry about that ! You can check the order of the curve, its embedding degree, primitive roots of unity, etc,... all is ok !



There is also no reason today to discourage exposure of public key.

Which 'electronic' signature schemes are you exactly talking about ?
I hope you are not talking about RSA..




Like you wrote... in libaries.

Some random developer wrote a buggy libary which allowed room for exploitation.. So.. how is this related to ECDSA / bitcoin at all ?




And the government controls all of our brains with the help of chemtrails (https://en.wikipedia.org/wiki/Chemtrail_conspiracy_theory)!


Please.. for the sake of satoshi.. stop posting so much retarded misinformation. That hurts reading.

I strongly recommend reading for you instead of posting here.  :D

The concerns I kisted in my post are not personal, they are common concerns among cryptographers including bitcoiners, Check this one for instance https://git.libssh.org/projects/libssh.git/tree/doc/curve25519-sha256@libssh.org.txt#n4

It is very bad attitude to talk about subjects that one has no background about. In the context of this topic, disclosing public keys is not recommended by prominent bitcoiners exactly because of the security concerns I've mentioned above and your comment is not only worthless but also misleading and causes confusion. Drive safe. ;)

If you have the private key of your wallet then you can use that private key to sign a message. Maybe you have seen the PGP keys out here in this forum before, those are encrypted messages which can be viewed with your public key but can only be unlocked or in this case signed from your private key. And as we know private keys are what truly makes you the owner of the Bitcoin address.
https://bitcoinmagazine.com/articles/bitcoin-address-sign-1399914228/
Try this article to find out more about how this signing addresses works and how to perform them.

To use a signed message as a proof of ownership of a bitcoin address, you need to disclose the public key behind that address otherwise how the other party would be able to verify your signature?

Disclosing public keys is not recommended practice in bitcoin community (don't take bob123 much serious  ;D) it is why we discourage address re-use, Actually a very effective proposal about signing multiple utxos (with a same output address) using a single signature has been abandoned just because og its potential of encouraging address re-use.


PGP keys typically use very higher security levels (like 4096 bits)  compared to bitcoin ECDSA 256k1 and it is why people are more relaxed about sharing their public keys.

I don't agree with this and I will explain why:

If you can provide a signature of a signed message, you are only proving you have seen the signature in the past. A well known example of this is CSW providing a signature of one of satoshi's early transaction as a "signed message" to prove he is satoshi. Does this signature prove CSW is satoshi, no it absolutely does not because the signature he provided is public information. Is CSW actually satoshi, I would keep an open mind if presented with additional credible evidence, but in my opinion he is in no way satoshi.

The above is an extreme example. Another example is someone can trick the "real" owner into signing a vague message and presenting that vague signed message as your own. If "Bob" were to be tricked into giving "Jack" the signature to the following message: "This is Bobs address and it is 2:45 PM" then Jack could present himself as being "Bob, and could present this signed message anytime it is shortly after 2:45 PM.

Using similar names, Jack could be willing to help Bob trick others into believing that Bob owns a particular "address" or UTXO, and could provide Bob with a specific signed message that makes others believe the UTXO belongs to Bob.

You could alleviate a lot of the above risk by asking Bob to sign a specific message that contains random data that you ask to be included in the signed message, and you are personally present when Bob receives the specific message you provide up until he provides the message. This will still not 100% guarantee Bob controls the private key associated with the address in question because he could still be communicating with Jack electronically, and would be risky for Bob if he does control the private key because he could be vulnerable to a "$5 wrench" attack.

In short, all providing a signed message will do is prove you have seen the associated signature.

Proving ownership of an address is not a common practice to be worried about unnecessary on-chain transactions. It can't be faked because before transferring funds you announce the address to the counter party as your address, just like when you give your receiving address to other people, you don't need to prove that you own your receiving address because it is where the funds are supposed to go.

You eventually disclose your public key and counter party has to check its RIPEMD-160 hash against the address you claim as your property. Once s/he approves your public key as being the real key behind the address, information has leaked and it is not safe as we will see.

As of your safety argument: You are absolutely wrong.
1- Historical transactions have been stoned in the blockchain and it is why they are safe not because of security of ECDSA.

2- ECDSA 256k1 becoming broken "some day"does not imply a magical invention that makes it a piece of cake for average intruder to guess keys in like few seconds or minutes, it means progress in algorithms and hardware that primarily makes it feasible for a large processing power to do the job in polynomial time/space (for instance in weeks or months using few Exa bytes of memory). Bitcoin could safely operate for a couple of months or a year after such progress because the public keys are exposed to this attack in a very short window of time (pending phase of the txn) that won't last more than few minutes. But permanently leaked public keys/re-used addresses are exposed to the attack for months or years.

3- You know that re-using addresses in bitcoin is not recommended, I wonder how do you think about it? Are you a fan of re-using addresses? Why not?

being bigger does not always translate into being safer. in case of PGP most of them use RSA keys and a 4096 bit RSA key offers nearly the same security than a 256 bit EC key (3072 RSA key has equal strength as 256 bit key used in ECDSA, and 7680 is the same as 384).

i think you are confusing my reply! i never suggested address-reuse or never said it is "as safe" to reuse them. all i said was that you can't say it is unsafe today just because it can be broken some day.
all your arguments here can be said about hashes too. RIPEMD160 and SHA256 are going to become obsolete some day as they will be broken but you can't say it is unsafe to use them just because some day they will be broken. after all that is how cryptography has always been working for literary thousands of years

Lets' go back to the root of this long discussion: exposing the Public key.

Okay, either of the two methods will indirectly expose the address' public key. By spending the UTXO, the user will have to provide a Signature and Public key to the scriptsig.
But as everyone mentioned, it's pretty safe as long as the user hasn't been reusing addresses.

---

The topic is getting derailed from "How to prove that an address belong to you?" to ECDSA security.

To sum it up, since either is "fine", let's categorize the main question from:

• 1. How to prove to someone that an Bitcoin address belongs to you?
• 2. How to prove to someone that an UTXO belongs to you?

[1] Sign a message.
[2] Sign a message or Spend the actual UTXO using coin control.

Neither RIPEMD-160 nor SHA256 are subject to such attack. They are not analytical and only a brute force attack is feasible to be run by adversaries which is not practical and will not be practical in foreseeable future, hence, they are safe now.

It is not the case with ECDSA-256k1, both QC and conventional digital computers on the hardware side and algorithms on the software side are under development right now and it is feasible to have this scheme broken in near future, hence, it is not safe now.

Once you disclose the public key behind a utxo without spending it (and making it useless this way), you have given a large window of time (as long as you keep the utxo untouched) to the adversary equipped with enough resources and knowledge to break it unlike what happens with an ordinary transaction in which it is exposed to such an attack just for few minutes.

Still I think the line of reasoning you follow makes it pointless to denounces address re-use anyway, if you can't say re-using bitcoin addresses is not safe, why should you discourage such a practice? You think I can't call it "not safe" so it is safe according to you, isn't it? Or may be it is somehow, something between safe and unsafe a shady status in security measures probably, both safe and not safe or neither safe nor not safe. What is it after all?

Yes SHA256 and RIPEMD160 algorithms are safe today but even if they are not linked to large number arithmetic, there is not proof that they cannot be reversed or predicted in polynomial time and space. As for ECDSA, they is no proof that ECDLP cannot be solved. Today the security of ECDLP256 is ~128bit and 160bit for RIPEMD160. Both are not feasible today but the probability that someone find a way to solve ECDLP256 or to reverse hashing algorithms is not zero. It is not possible to predict which algorithm will be defeated first.
There is no objective reason to say that exposing ECDSA public key for a long time is less safe than exposing an address.

I'm not comfortable with this argument. ECDLP has been discredited by Shor's algorithm which offers polynomial time/space solution for a QC based machine, the very nature of discrete logarithm problem is fragile and vulnerable to further mathematical developments just like what happened with Shor algorithm and QC vulnerability, it is not exactly the case for SHA256 or RIPEMD160 we have no reason to be worried about them to break and if anybody has any concern about such a possibility even in next couple of centuries s/he should stop using bitcoin as a store of value.

A true 256 qbit register does not exists and probably won't exist. All "quantum computer" today are based on "retry" which means that to experiment a true state superposition over a large number of qbit you need in fact many tries and this number of tries increase with the number of qbit. No worry from the QC.
ECDLP and SHA are not yet vulnerable and no argument can indicate that ECDLP is less vulnerable than SHA. ECDLP256 has a security of 128bit since the beginning and no significant improvement has been made despite intensive research.

Exposing a public key is fine.
You shouldn't expose your master public key (xpub) to not compromise your privacy.

The xpub is used to generate all public keys of your wallet (-> all addresses can be generated out of it).

But exposing single public keys is completely fine, privacy- and security-wise.

No, it is not. Please stop spreading misinformation, exposing public key is identical with address-reuse which is not recommended actually it is strongly discouraged (https://en.bitcoin.it/wiki/Address_reuse#Security)

Recently, I had a debate with Greg Maxwell in which he admitted that Core devs have abandoned a very impressive proposal that allows for multiple utxos with same pubkey to be signed just once in the body of a transaction, because it might have incentivizing impacts on address-reuse. Note that such an improvement would improve bitcoin performance instantly and considerably if it was not refuted because of address-reuse incentivizing side effects!  .

If you think address-reuse is secure please start a topic and enlighten us and be ready for me not mentioning Gregory Maxwell to argue against you, it is a very bad practice to make such arguments that are not based on generally accepted principles in bitcoin in the middle of a QA with newbies.

I'd say something like this If I was you: "Although it is not recommended in bitcoin and actually it is explicitly discouraged to disclose pubkey behind unspent utxo addresses, I think it is fine and mainstream is wrong and I'll prove myself in the future, blah, blah, blah"  

All things being equal, I agree it's best not to expose your pubkey.  But let's not overstate things. For instance here's an address with 69471 BTC on it 1HQ3Go3ggs8pFnXuHVHRytPCq5fGG8Hbhx  the pubkey is 02545d2c25b98ec8827f2d9bee22b7a9fb98091b2008bc45b3b806d44624dc038c


That's basically a 350 million dollar bounty right there. (and that's not nearly the only address like that).  The sky isn't falling on ECC just yet.




Address re-use is absolutely terrible for bitcoin-privacy, I think it's the single-biggest thing that makes blockchain analysis really easy (you can do pretty reliable spend-clustering). So I do my best to try encourage people to never reuse addresses, but the direct security implications are pretty minor.

Up to now, exposing public key is safe. They're might be wrong implementation of signature software that can allow to guess the private key, that's true. But it is the exactly same problem for addresses generation. Side channel attacks are also possible on software that generates addresses. Lot's of people reuse addresses and continue to do it. Without speaking of privacy, exposing public key is as safe as exposing address. Be afraid of a conspiracy or of unknown mechanisms that can allow your private key to be discovered is totally unjustified.

Actually, there are 2 valid mechanism to expose one's private key :
1. Finding flaw or put backdoor on random (RNG, PRNG, CSPRNG, etc.) system. Example : https://bitcoin.org/en/alert/2013-08-11-android (https://bitcoin.org/en/alert/2013-08-11-android)
2. Put backdoor on k values of ECDSA. Reference : https://bitcoin.fr/public/divers/docs/klepto-ecdsa.pdf (https://bitcoin.fr/public/divers/docs/klepto-ecdsa.pdf)

Fortunately, most wallet are open-source so both mechanism to discover user's private key is minimized. Still i wouldn't say "as safe as", but "almost as safe as".

First of all you are welcome to argue about it in a dedicated topic and we will see how it goes, my main concern is the context in which we are right now: A newbie asks a question and we need to stay in same rail with the accepted literature or we have to explicitly mention that we are speaking off the axis.

Secondly, it is old story in cryptography: cracks and fixes, bitcoin does not rely on ECC as much as most people suppose, side-channel attacks are always possible and the algorithm itself is not proved to be bullet proof, it is very bad idea to put your funds in hands of such a system for a long period of time at least it is not how bitcoin is considered to be secure.

Your example about the exposed pubkey is the first victim of the next successful attack on ECC, being a side-channel attack, a QC computer, a more optimized search algorithm, anything.

You are overemphasizing on privacy and underestimating security concerns here.
Again, I think this topic is not the right place for such a discussion. As far as it is about generally accepted principles of bitcoin we have to discourage exposure of public keys, specially by using them for signing messages.

The first mechanism apply also to address generation. Other mechanisms, such as side channel can applied to address generation too. So saying that public key exposure is not safe and discourage it is not justified at all. People who think that SHA is more safe than ECC has no argument to justify this. No one can say which algorithm will be defeated first. Again there is no proof that SHA cannot be reversed.
Having the feeling that SHA is more safe than ECC because ECC is based on large integer arithmetic is just a feeling. Not a fact !
"A more optimized search algorithm" can also apply to SHA.

@Jean_Luc bro, you are seriously wrong in comparing ECC with Sha2 both in their vulnerability to side-channel and direct attack. Bitcoin will collapse immediately if there could be found a flaw, it relies totally on security of sha256. It is not the case with ECDSA256k1, bitcoin needs this scheme to resist just few minutes against search attacks when it is used properly, disclosing pubkey extends this requirement which nobody can guarantee for any encryption algorithm for infinite time (unlike hash functions) to be satisfied. Actually I can guarantee that in less than few decades ECDSA256k1 will be breakable by a QC computer in polynomial time (not necessarily and effectively in few minutes)

Saying that because both sha256 and ECC are some mathematical functions implemented by computer codes and they are both exposed to hypothetical attacks so let's rely on both or rely on none, is not a strong argument.

As of the core algorithm: ECC is based on vague/unproven assumptions about discrete logarithm being non-polynomial in time and space which is challenged already by Shor algorithm and QC. SHA256 is not based on such assumptions.

As of side-channel attacks: ECDSA256k1 is a complicated algorithm with a lot of design and implementation choices, we have a history of successful side-channel attacks against its implementations, it is not the case for SHA256.

last words: Would you personally put your life saving for next two-three decades in a wallet with an exposed public key? I wouldn't!

Address generation is also subject to side-channel attack, it depends on the implementation. I agree, if ECDLP can be solved in few minutes, bitcoin would die and if SHA can be reversed in few minutes, bitcoin would also die. Today ECDLP takes ages to be solved. Your argument is ok if ECDLP becomes feasible in let's say few years or months but the probability that ECDLP256 becomes feasible in fews years or month and not in few minutes in nearly zero.


You have to rely on both algorithms.


It is exactly the same for SHA, it is based on vague/unproven assumptions that the set of solution becomes more and more difficult to describe at each round.


I'm speaking of address generation which is also vulnerable to side-channel attack. SHA alone is also vulnerable to Meltdown attack.


I wouldn't put my life in a wallet in any case, with pubkey exposed or not.

It is not true.

On the contrary a gradual collapse is exactly what will happen with 99% possibility.

"The authors of the Logjam attack estimate that the much more difficult precomputation needed to solve the discrete log problem for a 1024-bit prime would be within the budget of a large national intelligence agency such as the U.S. National Security Agency (NSA). The Logjam authors speculate that precomputation against widely reused 1024 DH primes is behind claims in leaked NSA documents that NSA is able to break much of current cryptography." (Wikipedia)

Diffie-Hellman Cryptography (DHC) is based on discrete-logarithm problem just like ECC and the above quote from Wikipedia clearly shows that breaking it is not about a "in few minutes or never" scenario, it is about optimizations and technology and costs.

Also your argument proves to be wrong, considering how QC technology is under development right now: they scale qbit by qbit slowly but continuously. Once they've proved to be able to break ESDCA in like couple of years bitcoin community would have enough time to enhance their cryptography scheme and users could gradually move their funds to new addresses.

With that kind of information, you can prove what you want. The best known precomputation (Bernstein and Lange) needed to solve the discrete log problem is just huge and not feasible even for the NSA. The only advantages of this precomputation is for solving multiple instance but for a single instance it does not bring benefits.


The difficulty of adding qbit does not grow linearly and it is interesting to see that De Broglie's prediction concerning QC seems to be more and more true, and that the Pilot wave theory in which I believe becomes more and more attractive.

Interestingly, we are talking about multiple instances, aren't we?

I'm not saying that it is broken right now, ECC, my argument is about the main attack range not being a magical mathematical technique that solves ECDLP in a glance, it is about optimizations, algorithm back doors, pre-computations,  and technology enhancements that gradually justify costs of an attack against its rewards.

Yes but even for multiple instance, the precomputation is still enormous and not feasible for a 256bit prime.


You can think the same for addresses. There is no objective reason today to say that RIPEMD160(SHA2(pukey)) brings a supplementary protection and you can even think that using directly pubkey could be more reliable. A failure can also come from the function f(x) = RIPEMD160(SHA2(x)).

There it is again. The magic everything-solving-machine called quantum computer  ;D ;D

I like how people - who are extremely far away from that topic - believe that quantum computers are a magic machine which can solve almost any mathematical problem in a short amount of time.


So.. quantum computing will break ECDSA in like a couple years ?  ;D ;D  Wtf dude, what did you smoke ?
Quantum computing is BY FAR not developed enough to be used for something useful yet. And it definitely won't be in 'a couple of years'..

Even if quantum computers would be ready to do that by then.. there first has to be an efficient algorithm developed. There aren't much quantum computing algorithms available yet..
It is not like you say 'Hey quantum computer, give me private key of satoshi' and 10 minutes later you get the result.. It is slightly more complicated than that.. even if non-techy people like you can't believe it..

I'm not saying QC is ready in few years, not as confused as you thanks god  :D

I mean QC will be developed enough sooner or later (put it few decades for instance) to break one ECC key in reasonable time window: 2 years or so e.g. A commercial QC with enough power to break a key in a long, still feasible, time window.

Look at the context, I'm arguing that breaking exposed pubkeys is the first damage that QC or any attack to ECC could ever cause.
For ordinary exposure of public keys in bitcoin transactions, the time window to cause any damage is very short and it is unlikely to have QC or any other technology coming from nowhere and managing for such a destructive attack. They'll begin with easier targets and the whole point of this discussion is discouraging bad practices that turn wallets to such targets. Period.

OK.


Yes but if you manage to reverse the address hashing function, you will be able to get a very large number of public key that match with the address and it will reduce drastically the complexity to find a matching private key.

With quantum computing  ;)

It is magic machine.

Neither QC nor any other technology could ever do anything about SHA256 because its search space is astronomical and behind human technology. It is provably resistant to collision attacks up to 128 bits security, there is no way to manage a collision attack on such a huge search space. Plus, it is not used in bitcoin for authentication purposes hence its vulnerability to length extension attacks is irrelevant and finally, the best public attacks break its preimage resistance for 52 out of 64 rounds  and going just one round higher is not considered feasible with current techniques and reaching to 54 rounds is another order of magnitude harder and so on, by using sha256 twice, bitcoin practically resists 128 rounds against preimage attacks which is another astronomical resistance index.

SHA256 is not vulnerable to any form of side-channel attack because of its deterministic nature as a hash function. Above thread @Jean_Luc has argued many times that potential vulnerability of ECC to side-channel attacks is just a general property and applicable to SHA-2 as well. This is not correct, side-channel attacks are effective in cryptography when multiple outputs for the same input(s) are possible and the attacker can narrow the search space by taking advantage of her knowledge about the implementation holes.

Comparing ECC security to SHA256 and asserting that they are equally safe is simply wrong. On one side, ECC has experienced a handful of side channel attacks and belongs to a class of cryptographic algorithms that are basically vulnerable to this attack and on the other side there is a QC compatible algorithm (Shor) provably capable of solving discrete-logaritm problem in feasible polynomial time/space. Whether QC becomes commercially available or not, it proves one point: cryptographic electronic signature algorithms are transient technologies for a specific state of technology and mathematics development, unlike strong hash functions.

You can use the magic Grover's algorithm and a partial RIPEMD160 round reversing (Biclique attack) to decrease drastically the complexity of finding collisions on RIPDEMD160(SHA2(x)) ;)

@aliashraf
I'm not saying that SHA-2 is vulnerable to all side-channel type attacks, only to meltdown attack (which is also considered as a side-channel attack) and address generation is obviously vulnerable to nearly same side-channel attacks as ECC.

You should claim the recompense to the Clay institute for this ;)

I would have never know that signing is risky.  :o

Since you guys are talking about vulnerability when someone signs a bitcoin wallet address, can someone prove that by accessing the 1 BTC puzzle on this thread?

--> https://bitcointalk.org/index.php?topic=5096267.0

The owner signed the wallet address so I want to see how you guys do it for those who are saying that there is a risk doing it. But if the only way of accessing it is using a powerful Quantum computer then I guess we are still a few years away to get our hands into QC.

 ;D :D

In fact the O(2^(n/3)) cannot be achieved due to memory complexity (Read this https://eprint.iacr.org/2017/847.pdf).
But the Grover's algorithm optimization proposed by Inria's researcher can achieve O(2^(n/2.5)) with a feasible memory complexity ( still need few million dollars of investment just for the classic memory :D ) and this algorithm has a very interesting feature, the complexity can be greatly reduced for multiple targets.
RIPDEMD160 consists of 2 parallel and independent hashes that are merged with simple additions (mod 2^32) at the end, and this can be easily exploited to create efficient multiple target attack on the 2 independent hashes RIPEMD160_1(SHA2(x)) and RIPEMD160_2(SHA2(x)).

It is not if you sign with a reputed secure software on a computer where you are alone (not subject to various side channel attack).

Please keep the thread on-topic. Insulting each other is not on-topic. (This message will self-destruct)

I would like to apologize if I was hurtful but I was a bit choked by the question of AntiMaxwellian.
Sorry.

I can't believe everyone got this wrong:

There is only one way certain way to prove ownership, and that is by giving your PRIVATE KEY to that someone.

After that moment, both you and them become "owners" of that address as both of you control the ability to sign messages and move funds (if any exist). If one of you discards the private key, and has no physical/mental backup of it, nor any recollection, they lose ownership.

1) Having a signed message that belongs to that public hash does NOT prove you have ownership, it's mearly proves to someone, that you possess that signed message, but you might or might not be the orginal actual signer or owner.

2) Showing that a dust amount from that address has been sent to another address of someone's choice, does NOT prove you have ownership, it only proves that someone, but not nessesary you, is the owner.

A good real life example of the misconceptions of 1 or 2 is all the OTC scams that take place, where the scammer is a man in the middle but appears to be an owner.

If you want to prove ownership of an address that has funds, you move the funds out first, and give out the private key, proving that at one point you possessed ownership of the previous address that had a balance. (Warning: giving out a single private key and xpub key for an unhardened hd wallet derivation can lead to an attacker taking all your wallet funds)

Then a malicious actor just needs to gain access to your master public key (xpub) to derive all of your private keys belonging to this HD wallet (non-hardened only).


Signing messages is fine to prove ownership.


Of course you wouldn't sign a message like "i own this address".
You would include your name, the current date and the reason for signing this message. And eventually even a random token from the person who wants you to prove the ownership.

A MitM wouldn't be useful in any way here.

Right, this is the good way to do however it is better to define the full format of the message to sign (including restrictions on the fields) with the third party in order to prevent from a birthday paradox attack on the signature.

A birthday attack is applicable to hash functions, not encryption or signatures.

Further, with the birthday paradox you would calculate the probability of creating 2 messages which result in the same hash (any random hash!).
Not a second message with the same (given) hash which the signed one has.


This is not applicable in this case. Neither theoretical nor practical.

OK, i wrote this a bit too fast. I was thinking to create a random walk for the birthday paradox on the hash of the signature in order to exploit it the signature process but it ends in solving the discrete log using classic random walks (of course, with public key previously exposed). So it is even not necessary to create a random walk from the signature hash.

This is a very bad practice, and I think you should not do this under almost any circumstances.

Giving someone your private key can potentially make you look very bad in the future. For example if you publicly state a particular address belongs to you, and the third party later goes on to do some nasty illegal or harmful stuff and that address is involved in receiving or sending a payment for this stuff.


I alluded to this point previously (https://bitcointalk.org/index.php?topic=5135989.msg50801558#msg50801558).

A signed message could be the result of the real owner being tricked into signing a message, or the real owner colluding with a third party, attempting to fraudulently prove they own a UTXO/address they do not own.

If we are strictly talking about ownership (in terms of: i created the private key, it belongs to me), there is not a single method to absolutely be sure (in a bulletproof way).

A private key is not something one has, but something one knows. That's a big difference.

Proving ownership of a hardware token (i.e. a hardware token for pgp signing for example) can be done by signing messages easily.
But simply proving ownership of something you know is itself not possible (very strictly talking).

Information (something you know) can be duplicated. Hardware tokens (something you have) can not. Or.. at least they should not be able to be duplicated.


However, i think this is going way too far.
As per OP's title the question is how to prove that an address belongs to you. And regarding this, anything is fine. A signed messages (containing a random token + user not blatantly stupid to get phished) is the best way.
The question was not how to prove that one is the ONLY one who knows this private key. That's simply not possible.