[Proposal] Why don't we sign receivers' addresses also?

[katatunix]

Hello,

Let's consider following scenario:

• Alice (a honest girl) is buying a product from the merchant Apple.
• Alice create a new transaction TxA to send her bitcoins to Apple.
• Bob (a bad guy) receives TxA and modifies the receiver's address to create TxB.
• Assume that the TxB will be confirmed, not TxA. So Bob (not Apple) will receive Alice's bitcoins.
• Apple will not send the product to Alice because the TxA has not been confirmed.
• Alice is the only victim in this scenario.

As far as I know, to create TxA, Alice must sign her bitcoins which is identified by the output index in the former transaction. So why doesn't Alice sign the receiver's address (Apple) also when creating TxA? This will make Bob cannot modifies the receiver's address and thus can prevent the scenario above.

[shorena]

Changing the receiving address(es) will render the signature(s) invalid.

[katatunix]

Changing the receiving address(es) will render the signature(s) invalid.

Thanks for your reply

Could you please explain in more detail? If the signature was not produced from the receiving address, how can changing the receiving address render the signature invalid?

Note that the receiving address here is Apple.

[shorena]

Changing the receiving address(es) will render the signature(s) invalid.

Thanks for your reply

Could you please explain in more detail? If the signature was not produced from the receiving address, how can changing the receiving address render the signature invalid?

Note that the receiving address here is Apple.

Sorry Im a bit tired atm, but you sign more than just the inputs. I hope this helps -> http://bitcoin.stackexchange.com/questions/3374/how-to-redeem-a-basic-tx

[DannyHamilton]

Why don't we sign receivers' addresses also?

We do.  Why do you think that we don't?

Let's consider following scenario:

• Alice (a honest girl) is buying a product from the merchant Apple.
• Alice create a new transaction TxA to send her bitcoins to Apple.
• Bob (a bad guy) receives TxA and modifies the receiver's address to create TxB.

Not possible.  When Alice created the transaction, the signature covered her inputs AND all the outputs.  If Bob changes the outputs then the transaction is no longer valid because the signature no longer matches the signed content.

As far as I know, to create TxA, Alice must sign her bitcoins which is identified by the output index in the former transaction.

This is not correct.  In each input, Alice supplies a signature of all the relevant parts of the transaction (inputs and outputs). The signature must be created with the private key that is associated with the address that the output being spent was sent to.

So why doesn't Alice sign the receiver's address (Apple) also when creating TxA?

She does.

This will make Bob cannot modifies the receiver's address and thus can prevent the scenario above.

Correct.

Exactly how did you think Bitcoin lasted 7 years and grew to its significant amount of usage without this basic protection?

Perhaps you should try reading the original bitcoin whitepaper?

https://bitcoin.org/bitcoin.pdf

[katatunix]

Thanks all. It's clear now.