|
Title: Signature misunderstanding Post by: BlackHatCoiner on May 29, 2020, 03:44:07 PM I don't get it. How can people get your private key if you don't use signature?
The maths of how signature works are too hard by the way. Title: Re: Signature misunderstanding Post by: bob123 on May 29, 2020, 04:02:31 PM I don't get it. How can people get your private key if you don't use signature? By gaining access to the medium where the private key is stored. And this - by the way - has nothing to do whether you have used the private key to sign something or not (assuming you are talking about ECDSA). If you are in fear that your private key might get compromised by simply signing a transaction/message, be assured.. that is not the case. The maths of how signature works are too hard by the way. Well.. its cryptography. It kind of needs to be complex to be robust against several types of attacks. Title: Re: Signature misunderstanding Post by: HeRetiK on May 29, 2020, 10:02:30 PM I don't get it. How can people get your private key if you don't use signature? By kindly asking. I'm not even kidding, back when airdrops were all the rage there were a couple of totally legit offerings that only required you to enter your private key into google forms. Title: Re: Signature misunderstanding Post by: BlackHatCoiner on May 30, 2020, 06:52:42 AM When you send money from an electrum wallet for example, does it create you a signature automatically?
Title: Re: Signature misunderstanding Post by: ranochigo on May 30, 2020, 07:05:50 AM When you send money from an electrum wallet for example, does it create you a signature automatically? The signature is contained inside the scriptsig of the transaction. Every wallet that sends a transaction on chain automatically signs the transaction to provide the signature inside the scriptsig. Inside the scriptsig, it contains the signature of the transaction and the public key that is used to signed the transaction. Given the property of ECDSA, you can verify that the signature is signed with a specific private key when you're given the corresponding public key.With the public key, you can hash it to form a P2PKH/P2PWKH address. From there, you can also validate that the transaction is spending the correct UTXOs that belongs to that specific address. Title: Re: Signature misunderstanding Post by: HeRetiK on May 30, 2020, 08:36:54 AM When you send money from an electrum wallet for example, does it create you a signature automatically? Ranochigo already described pretty well what role signatures play for transactions, so here's an example of a case of flawed implementation such as mentioned by ETFbitcoin: https://bitcoin.org/en/alert/2013-08-11-android I think in this case it was a matter of an adversary being able to generate the same "random" values (ie. private keys) as their victim, but the fixed k flaw is quite fun as well since you just turn the math against itself: Quote from: https://news.ycombinator.com/item?id=6195606 Iä! Digital Signature Algorithm! The Black Goat of the Woods with a Thousand Crypto Bugs! I don't know the Bitcoin software involved at all, but I can sketch out an attack that might shed some light on it, and, more importantly, instill an appropriate fear of DSA into you: To generate a DSA key, you come up with primes p and q and a generator g, which process is a paralytic non-Euclidian brain injury I will not attempt to describe. Then you do like Diffie Hellman: generate a random private key x and from it a public value y = g^x % p. The pubkey that validates signatures is the tuple (p, q, g, y). To sign, you generate a random k value, which must never be reused, Iä! Iä! never, and: r = g^k % p % q s = k^-1 (H(m) + x•r) % q The signature is (r, s). If ever you should fail to heed these words and generate two signatures with the same k value, Iä Cthulhu Ftaghn! then simple high school algebra can be used to beat DSA. The attacker doesn't even need to know what the k was, and the attack is so fast you can just try it to see if k was repeated (I skipped the algebra and just dumped the formulas for the attack here): H(m1) - H(m2) k = ------------- S1 - S2 x = ((S1•k) – H(m1))• r^-1 % q This bug (also in an ECDSA implementation) is what broke the Playstation 3, too. You see that comment on the Bitcoin thread about the repeated r-values; a repeated r-value (r as in the r parameter of a DSA signature) just tells you that someone repeated a k. Iä! Iä! |