Encrypt a message with bitcoin public key?

[jorschs]

Hi,

just wanted to ask if it's possible to encrypt a message using somebody's bitcoin address in order he is the only one able to read that message using his secret key. I mean, just like RSA..

I guess that should work but was doing a little search about and found this: https://bitcointalk.org/index.php?topic=238714.0

Thank you.

[1714053071]

1714053071

[1714053071]

1714053071

[1714053071]

1714053071

[DannyHamilton]

Hi,

just wanted to ask if it's possible to encrypt a message using somebody's bitcoin address in order he is the only one able to read that message using his secret key. I mean, just like RSA..

I guess that should work but was doing a little search about and found this: https://bitcointalk.org/index.php?topic=238714.0

Thank you.

A bitcoin address is NOT a public key (that can be used for asymmetric encryption).

Therefore, if the only thing you have is the bitcoin address, then you won't be able to encrypt the file.  You'll need the person to provide you with the public key that the address was generated from.

Even if you have the public key, you've already discovered from the page you linked to that ECDSA is a signature algorithm and is not designed for encryption.  If you really want to do so, even though it's a bad idea, you can take a look at this:

https://github.com/jackjack-jj/jeeq

[jorschs]

Thank you DannyHamilton, very helpfull explanation.

[achow101]

As DannyHamilton said, you would need to get the public key from the person who owns the address. Either they give it to you or you can see if they spent from the address and pull the public key from the scriptsig in one of their transactions.

In order to encrypt something, you would need to use some encryption algorithm that can use such public keys, like PGP. It is possible to use a bitcoin public key as a PGP public key, but it is not recommended since those key pairs are only 256 bit when a PGP key is at least 1024, if not higher for more security.

[bit22gen]

It is possible to perform public key encryption using elliptic curves,
it is called ECIES, see for example:

http://www.johannes-bauer.com/compsci/ecc/

Encryption with the bitcoin elliptic curve is for example implemented in the Electrum wallet.

Use "Tools->Encrypt/Decrypt message".

In order to encrypt the public key should be used, not the bitcoin address.
The public key is a hex string that starts with "02", "03" or "04".

[bit22gen]

Here is the python code for the electrum ECIES encryption:

https://github.com/mazaclub/electrum-nmc/blob/master/lib/bitcoin.py

See encrypt_message() and decrypt_message().



==============================
 def encrypt_message(self, message, pubkey):

        pk = ser_to_point(pubkey)
        if not ecdsa.ecdsa.point_is_valid(generator_secp256k1, pk.x(), pk.y()):
            raise Exception('invalid pubkey')

        ephemeral_exponent = number_to_string(ecdsa.util.randrange(pow(2,256)), generator_secp256k1.order())
        ephemeral = EC_KEY(ephemeral_exponent)
        ecdh_key = point_to_ser(pk * ephemeral.privkey.secret_multiplier)
        key = hashlib.sha512(ecdh_key).digest()
        iv, key_e, key_m = key[0:16], key[16:32], key[32:]
        ciphertext = aes_encrypt_with_iv(key_e, iv, message)
        ephemeral_pubkey = ephemeral.get_public_key(compressed=True).decode('hex')
        encrypted = 'BIE1' + ephemeral_pubkey + ciphertext
        mac = hmac.new(key_m, encrypted, hashlib.sha256).digest()

        return base64.b64encode(encrypted + mac)
==============================

[jorschs]

Thank you all. As far as security is a concern for me I understand from your words that using public key for encryption purposes is not a good idea. Once again tank you for your kind help.

[bit22gen]

The PGP keys use RSA instead of ECC, and RSA require much longer key size for the same security:

See for example:
http://www.linuxjournal.com/content/elliptic-curve-cryptography

The bitcoin 256 bit key corresponds to a 3072 RSA key.

Comparison of RSA and ECC key sizes from the article:

 RSA Key Size      ECC Key Size
===================================
1024              160
2048              224
3072              256
7680              384
15360              512

[jorschs]

Then I could have a good level of security with a 256 bit bitcoin key?

[bit22gen]

The security of the ECIES encryption is equally strong as the ECDSA that bitcoin use.

You would have to compute the discrete logarithm in order to break it.

In bitcoin use there is an additional layer of security since the bitcoin address is computed from the public key using a one way function.

However, if a bitcoin address is reused, the additional layer of protection is lost since the public key is possible to compute
when the signed message is given in the transaction.

And bitcoin addresses are beeing reused without any reports of stolen funds.

Older wallets reuse addresses without any reports of missing bitcoins.
In that case there is no additional protection layer, and the security of the bitcoin elliptic curve protects the bitcoins.

More information about the security of the bitcoin elleptic curve can be found here:
https://bitcointalk.org/index.php?topic=380482.0

[gmaxwell]

A bitcoin address is NOT a public key.

A bitcoin address absolutely IS a (serialization of a) public key,  it is a public key for the Bitcoin Script digital signature system. This system CANNOT be used for encryption, but signatures only.

If it were not a public key, you couldn't use it to identify the party authorized to release bitcoins.

The bitcoin address commits to, via hashing, an ECC public key, a cryptographic system used inside the Bitcoin digital system.  These keys could potentially be used for message encryption, if you were to get that EC public point somehow.

But then you need to ask the question _WHY_ you would want to do this?  It is usually strongly recommended that people not reuse the same keys for different application because the composite usage can result in insecurity. There are many pre-existing encryption systems which are competently constructed, and you could sign their public keys using a bitcoin signmessage.

Many of the "sign with bitcoin keys" things which have been constructed have been outright incompetent and insecure. So why would you not use standard tools but instead something novel and custom that probably has had no competent cryptographic review.\

The PGP keys use RSA instead of ECC, and RSA require much longer key size for the same security:

PGP now also supports ECC keys.

The security of the ECIES encryption is equally strong as the ECDSA that bitcoin use.
You would have to compute the discrete logarithm in order to break it.

This is not, pedantically, true.  ECIES requires a secure message authentication scheme, a secure message cipher, and a strong random number generator. If any of these (or their implementations) have weaknesses then you can compromise the confidentiality of encrypted messages without being able to find a discrete log.

[makcik]

Bitcoins have provided a secure way always for making transactions safer between wallets. As everyone knows, bitcoins uses address as keys for sending and receiving bitcoins. Now, you may want to send a message to the person whom you are sending bitcoins. Fortunately, this is possible now because of ECDSA system from cryptocurrency.
In this system, you can encrypt the message with your wallet address or public key and the person will have to enter your address or private key to see that message. It's a quite interesting feature and maintains 100% privacy with the people.

[gmaxwell]

Now, you may want to send a message to the person whom you are sending bitcoins. Fortunately, this is possible now because of ECDSA system from cryptocurrency.

It is not-- a bitcoin address cannot be used for (asymmetric) encryption.  They could send you the related EC point as well, but since they must send you additional data in any case at the time they send you the address, they could just as well send a public key for a system specifically designed for message encryption.

[luv2drnkbr]

OP, you could use EC multiplication to multiply their public key with your private key, which would produce the same public key output that they would get by multiplying their private key by your public key.  So you use that resulting public key as the encryption password/key and encrypt with AES or something.  The very act of decryption also authenticates the message as being from you.  If you want to send a message anonymously, just generate a new random key and include its public key in cleartext with the encrypted message.

[DannyHamilton]

a bitcoin address cannot be used for encryption.

A bitcoin address absolutely can be used for encryption. As long as only the sender and receiver know the bitcoin address, it can be used as a symmetric-key with 160 bits of entropy.  This system doesn't work well if the key has already been used in a transaction, and since there's a need to give the key to the other party via a secure channel there really isn't much benefit to using a bitcoin address as the key. However, as long as we are playing with semantics in this thread, it isn't entirely accurate to say that a bitcoin address can't be used for encryption.

 

[gmaxwell]

Happy?

[DannyHamilton]

Happy?

Yep.  Fixed mine too...

https://bitcointalk.org/index.php?topic=1239463.msg12904696#msg12904696

Happy?