The smallest valid signature

[vjudeu]

Because of a bug in SIGHASH_SINGLE, it is possible to precompute a signature for some unknown key, where:

z=0100000000000000000000000000000000000000000000000000000000000000
r=0000000000000000000000000000000000000000000000000000000000000001
s=0000000000000000000000000000000000000000000000000000000000000001

For those three values, it is possible to find some public key:

Q=032baf163f5e27261ab3228e61fb86dc98054abd514751fce93d7444e8fbc6a293

Then, our scriptSig is equal to 09300602010102010103. That's the smallest signature I can think of, because r=1 and s=1, so our scriptSig has only 10 bytes! This signature is valid and was confirmed in testnet transaction 3952b35bde53eb3f4871824f0b6b8c5ad25ca84ce83f04eb1c1d69b83ad6e448. The private key for such public key is unknown, but the signature is valid for SIGHASH_SINGLE. Is it possible to do the same for SIGHASH_ALL if we assume that setting any z-value is possible and that we can change our public key to any value?

[garlonicon]

Is it possible to do the same for SIGHASH_ALL if we assume that setting any z-value is possible and that we can change our public key to any value?

It depends. If you have to sign your public key (or a hash of that key, or some previous transaction output where you have to know that key) then no. But if you can use any public key, then it is possible. I can imagine some weird script with constant signature and variable public key, something like "OP_OVER 300602010102010101 OP_EQUALVERIFY OP_CHECKSIG", then you can make a transaction, get your z-value and put your matching public key in such script.

Also note you can do such things in Bitcoin Message:

Code:

message="Hello World"
address="1psPJZYEJrjPtY6kw5Tqtj4mW2yXSSDuH"
signature="GwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE="

Here you have r=1 and s=1 in a signature for some arbitrary message. Of course both k and d are unknown, but it does not matter if you can use any public key.