Why is ECDSA needed at all?

[RealBitcoin]

This may sound silly or even genius, and I am not a big expert or cryptographer, but as I look at it, the public->private key system is 1 directional, so why do we need to use ECDSA when we could just use a SHA-256 instead or something like that. Lemme explain my theory, how we could make a blockchain without ECDSA:

• Private key generated with RNG, then hashed with SHA256, the SHA256 hash , this would be the pubkey, and a Base58encoded checksumed version would be the bitcoin address
• Bitcoin address and bitcoin private key included in blockchain at spending, so miners can verify the owner without the need for asymmetric cryptography, the private key would be revealed when you send money to a new address, so this way addresses will be forcibly reused, and would no longer serve as "accounts" but only as a receipt of transaction
• The public key would be sent first ,and after 6 confirmations, the private key is sent, this would ensure that nodes/miner cant steal/double spend the coin. The pubkey gets indexed in the blockchain, after 6 confirm the private key gets indexed too ,and after another 6 confirm the transaction is finalized
• If nodes/miners reject the public key and is not included in the blockchain, then the user would not send out the private key (the private key revelation is the finalization of the transaction)
• The change would be sent back to the owner's change address, fee sent to miners, and the sum sent to the destination address
• Mining protocol not affected
• A lot of unnecessary work would be eliminated for both nodes and miners
• More efficient cryptocurrency model
• When you would sign a message with the address, it would automatically send the money from that address to a new address of yours, so that a message signing would still prove that you own that address, but the money need to be sent to a change address to ensure that the verifier doesnt stea it
• Ultra secure, quantum secure, since we would no longer be constrained by a 128 bit private key, but by even a 1000 bit key by using numbers, letters, special characters to generate the private key, it would be way more secure

What do you think of my idea? Did Satoshi miss this thought?

[1714636226]

1714636226

[1714636226]

1714636226

[achow101]

This may sound silly or even genius, and I am not a big expert or cryptographer, but as I look at it, the public->private key system is 1 directional, so why do we need to use ECDSA when we could just use a SHA-256 instead or something like that. Lemme explain my theory:

• Private key generated with RNG, then hashed with SHA256, the SHA256 hash , this would be the pubkey, and a Base58encoded checksumed version would be the bitcoin address
• Bitcoin address and bitcoin private key included in blockchain at spending, so miners can verify the owner without the need for asymmetric cryptography, the private key would be revealed when you send money to a new address, so this way addresses will be forcibly reused, and would no longer serve as "accounts" but only as a receipt of transaction
• The change would be sent back to the owner's change address, fee sent to miners, and the sum sent to the destination address
• Mining protocol not affected
• A lot of unnecessary work would be eliminated for both nodes and miners
• More efficient cryptocurrency model
• When you would sign a message with the address, it would automatically send the money from that address to a new address of yours, so that a message signing would still prove that you own that address, but the money need to be sent to a change address to ensure that the verifier doesnt stea it
• Ultra secure, quantum secure, since we would no longer be constrained by a 128 bit private key, but by even a 1000 bit key by using numbers, letters, special characters to generate the private key, it would be way more secure

What do you think of my idea? Did Satoshi miss this thought?

You're wrong.

ECDSA is a signing algorithm that has specific requirements (all signing algos have specific requirements). It needs a public key derived from the public key in a specific way using a specific elliptic curve. The signature verification algorithm requires that specifically derived public key.

Your idea of publishing the private key when you send is also a bad idea. This is because the private key gives anyone who holds it permission to spend the UTXOs associated with the address. Once the private key is revealed after the Bitcoin is spent, while the transaction is unconfirmed, someone can retrieve that key and create a double spend and send the Bitcoin to himself instead of the intended recipient. A malicious miner could do this as well and ensure that he gets the Bitcoin because he is the one to include his double spend into a block.

[RealBitcoin]

This may sound silly or even genius, and I am not a big expert or cryptographer, but as I look at it, the public->private key system is 1 directional, so why do we need to use ECDSA when we could just use a SHA-256 instead or something like that. Lemme explain my theory:

• Private key generated with RNG, then hashed with SHA256, the SHA256 hash , this would be the pubkey, and a Base58encoded checksumed version would be the bitcoin address
• Bitcoin address and bitcoin private key included in blockchain at spending, so miners can verify the owner without the need for asymmetric cryptography, the private key would be revealed when you send money to a new address, so this way addresses will be forcibly reused, and would no longer serve as "accounts" but only as a receipt of transaction
• The change would be sent back to the owner's change address, fee sent to miners, and the sum sent to the destination address
• Mining protocol not affected
• A lot of unnecessary work would be eliminated for both nodes and miners
• More efficient cryptocurrency model
• When you would sign a message with the address, it would automatically send the money from that address to a new address of yours, so that a message signing would still prove that you own that address, but the money need to be sent to a change address to ensure that the verifier doesnt stea it
• Ultra secure, quantum secure, since we would no longer be constrained by a 128 bit private key, but by even a 1000 bit key by using numbers, letters, special characters to generate the private key, it would be way more secure

What do you think of my idea? Did Satoshi miss this thought?

You're wrong.

ECDSA is a signing algorithm that has specific requirements (all signing algos have specific requirements). It needs a public key derived from the public key in a specific way using a specific elliptic curve. The signature verification algorithm requires that specifically derived public key.

Your idea of publishing the private key when you send is also a bad idea. This is because the private key gives anyone who holds it permission to spend the UTXOs associated with the address. Once the private key is revealed after the Bitcoin is spent, while the transaction is unconfirmed, someone can retrieve that key and create a double spend and send the Bitcoin to himself instead of the intended recipient. A malicious miner could do this as well and ensure that he gets the Bitcoin because he is the one to include his double spend into a block.

What if the private key is sent after 6 confirmations? So the public key is indexed in the blockchain , and after 6 blocks the private key is sent and then the transaction would be finalized.

So that no node & miner could steal / double spend the coins, gets indexed to the blockchain, and then the private key is revealed, finalizing the transaction and confirming the spending.

[Evil-Knievel]

Ultra secure

Just don't do it 
Public key cryptography is there for a reason ...

[achow101]

What if the private key is sent after 6 confirmations? So the public key is indexed in the blockchain , and after 6 blocks the private key is sent and then the transaction would be finalized.

So that no node & miner could steal / double spend the coins, gets indexed to the blockchain, and then the private key is revealed, finalizing the transaction and confirming the spending.

Ok, so then how do you plan on verifying the signature? What algorithm are you going to use that takes a private key and then verifies to the sha256d hash of that key without revealing the key itself? You most certainly aren't going to be using ECDSA since ECDSA requires a public key derived from the private key in a different way using elliptic curves.

What do you mean by "finalized"? What happens if the key that is published is incorrect? What if the sender refuses to publish the key?

[DannyHamilton]

What do you think of my idea?

I think you don't know much about cryptography, you don't understand why the bitcoin protocol does the things it does, you don't understand the concept of decentralized and trustless, and your idea has too many holes in it to give much consideration to.

[TransaDox]

What do you think of my idea?

I think you don't know much about cryptography, you don't understand why the bitcoin protocol does the things it does, you don't understand the concept of decentralized and trustless, and your idea has too many holes in it to give much consideration to.

Arrogance and intolerance like this is what will kill bitcoin eventually so please adjust your attitude or say nothing at all.
There is nothing of merit that can be learned from this type of response and as a Legendary member it is an atrocious example to set.

[johoe]

The problem is, what if someone else sends the transactions with your public key.  Of course, you don't send the private key, but how do you unfreeze your funds.  Does it timeout?   What if some-one DoS attacks you by sending another transaction in the moment it timeouts?

If it timeouts, the miners may also steal your coins by claiming that you didn't send the private key, wait for the timeout and then mine a different transaction with your revealed private key.

You may think you can have three one-time functions, private key -> public key -> address to avoid the first problem.  Then only you know the public key and can send the first transaction. But that also doesn't help, either.  The moment you want to spend your coins some peer may use the information to double-spend the coins.  The miners don't know which to include and may include the wrong one.  Then you are back at the situation where the honest person has to somehow convince the miners to switch to a different transaction.

[johoe]

A different problem with your approach is that everyone can spam the blockchain for free by sending loads of unsigned transactions that don't belong to him.  Your algorithm requires them to be included in the immutable blockchain before the miners can even start to check if the sender authorized them (including the fee).  Since one doesn't even have to own bitcoins to do this, one doesn't lose anything when spamming.

[Dabs]

Arrogance and intolerance like this is what will kill bitcoin eventually so please adjust your attitude or say nothing at all.
There is nothing of merit that can be learned from this type of response and as a Legendary member it is an atrocious example to set.

What arrogance? I don't see any.

He was just stating facts.

OP doesn't know what he's talking about. That's all.

[DannyHamilton]

What arrogance? I don't see any.

He was just stating facts.

OP doesn't know what he's talking about. That's all.

I try to be a bit more tolerant in the "Beginners & Help" and "Bitcoin Discussion" sub-forums.  Those are filled with newbies that just want to talk about bitcoin related stuff.  I have no expectation that they have any particular level of knowledge about any technical details.

I'm much more critical of threads in the "Development & Technical Discussion" and "Technical Support" sub-forums.  These sub-forums are intended for discussion at a technical level about how bitcoin works and realistic improvements.  If someone wants to post in either of these sub-forums with questions trying to actually learn and understand, then I'm happy to take the time to explain what I know and discuss their ideas.

But when someone comes in with the equivalent of "Lets put windmills on our electric cars so that they can generate electricity and power themselves while we're driving!  Then we can drive thousands of miles without needing to plug in!" They are wasting their own time, and the time of every person that accidentally reads their post.  I'm not going to waste time explaining wind resistance, conversion losses, and thermodynamics to someone that clearly is more interested in announcing their amazing discovery than trying to learn.

Equivalently, cryptocurrencies are something that has been studied and investigated for several decades.  There are many ideas that have been clearly proven  to not work, and many issues that had to be overcome.  Bitcoin was the first decentralized trustless cryptocurrency system that manages to address some of the biggest issues. If someone doesn't understand why mining and ECDSA signatures are part of that solution (or even what makes something a "public key" or "private key", and comes in with "Lets get rid of ECDSA and use SHA256 to prove authorized access to bitcoins!", they are wasting their own time, and the time of every person that accidentally reads their post.  I'm not going to waste time explaining all the many technical details to someone that is clearly more interested in announcing their amazing discovery than trying to learn.

[RealBitcoin]

I try to be a bit more tolerant in the "Beginners & Help" and "Bitcoin Discussion" sub-forums.  Those are filled with newbies that just want to talk about bitcoin related stuff.  I have no expectation that they have any particular level of knowledge about any technical details.

Just chill out man, no need to be rude.

If my idea is worthless, then it strengthens the point why ECDSA is needed, and people will apreciate ECDSA more.

If my idea has some worth then it could give ideas for developers to create a system like I described, perhaps as a side-chain.

Either case, it is worth discussing this in my opinion, discussing things is never wrong, no matter what is the outcome, people will come out as winners because knowledge will be shared.

[Come-from-Beyond]

If my idea is worthless, then it strengthens the point why ECDSA is needed, and people will apreciate ECDSA more.

Your idea is not worthless and is already used in one of the altcoins. It's actually a nice solution for IoT-friendly cryptography for which ECDSA is too "heavy". The only requirements are to wait long enough between beginning and committing a transaction and to not reuse addresses (private keys).

[RealBitcoin]

If my idea is worthless, then it strengthens the point why ECDSA is needed, and people will apreciate ECDSA more.

Your idea is not worthless and is already used in one of the altcoins. It's actually a nice solution for IoT-friendly cryptography for which ECDSA is too "heavy". The only requirements are to wait long enough between beginning and committing a transaction and to not reuse addresses (private keys).

Yep, with waiting like X confirms, for security (could be specifed by author of transaction), and removing the transaction data if private key is not revealed after X+Y confirmations, where X=Y.

Nodes could block clients that do malicious things (banlist already avalaible in bitcoin too), while the blockchain would remove unconfirmed transaction.

The TX would just be a 2 step process instead of one.

I'd imagine a private blockchain would use something like this, especially if only trusted nodes exist.

[btchris]

Your idea is not worthless and is already used in one of the altcoins.

Out of curiosity, which altcoins?

The only requirements are to wait long enough between beginning and committing a transaction and to not reuse addresses (private keys).

What about the added requirement of a good CSPRNG source for every tx (not required by ECDSA), something which is more difficult to obtain in an isolated IoT environment w/o added (and unauditable) hardware support?

There's also extra non-volatile state which much be maintained to commit the tx, another weak suit of IoT devices in general, correct?

ECDSA isn't that hard, otherwise hardware wallets wouldn't exist....

[TransaDox]

but as I look at it, the public->private key system is 1 directional

This is a flaw in your assumptions. It is not one directional. The private and public keys are two parts of a puzzle. The puzzle is easy to make but so hard to solve that it is effectively impossible. However there is one exception. There is a shortcut that makes the solving very fast and easy. There is a secret "trap door" that enables bypassing of the impossibly hard route and to open it you need  the right [private] key.

So one gives the public key to anyone that wishes to make a puzzle. Once created only the person that knows the key to the "trap door" can solve it. This is why they are termed "key pairs" since a private and public key are related by the "trap door".

This is the premise behind most cryptography that is based on a "trap door function" and includes Elliptic Curve, RSA and DSA to name the more common ones.

Hopefully you can see that to tell everyone how to open the secret trap door is, in general, not a good idea.

[Come-from-Beyond]

Out of curiosity, which altcoins?

Can't recall the name.

What about the added requirement of a good CSPRNG source for every tx (not required by ECDSA), something which is more difficult to obtain in an isolated IoT environment w/o added (and unauditable) hardware support?

It's not needed, you already have a cryptographic hash function and publish SHA3(txData+secret) on the 1st step and reveal the secret on the 2nd when the network verifies that SHA3(secret) matches the spending address.

There's also extra non-volatile state which much be maintained to commit the tx, another weak suit of IoT devices in general, correct?

Probably, depends on an implementation.

ECDSA isn't that hard, otherwise hardware wallets wouldn't exist....

Can you imagine, IoT requires a more lightweight algorithms base.

[TransaDox]

Can you imagine, IoT requires a more lightweight algorithms base.

I already have an Internet of Things that need internet. Turns out there aren't that many and those that do have lots of processing power because they need to defend themselves from the internet.

[Sergio_Demian_Lerner]

Something similar to what you proposed can actually work.

It's called MAVEPAY (https://bitslog.wordpress.com/2012/04/16/mavepay-a-new-lightweight-payment-scheme-for-peer-to-peer-currency-networks/), and the signature protocol is called MAVE (https://bitslog.wordpress.com/2012/04/09/mave-digital-signature-protocol-for-massive-bulk-verifications/)

A weaker and later alternative was called FawkesCoin.

[pepethefrog]

Pepe thinks you have to make yourself familiar with the difference between

cryptography used for signatures
and
cryptography used for hashes

Those two are very different beasts and not interchangeable.