Bitcoin Forum
December 15, 2019, 04:12:20 PM *
News: Latest Bitcoin Core release: 0.19.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Some magic?  (Read 1749 times)
amaclin
Legendary
*
Offline Offline

Activity: 1260
Merit: 1002


View Profile
December 26, 2016, 07:12:19 PM
 #1

Can anyone explain the magic math in this transaction?  Shocked
0895e97e9c4ce7ebe04e15e0835bb0788053fbfdbbb2f3f25f81631687d7b857

https://test.webbtc.com/script/0895e97e9c4ce7ebe04e15e0835bb0788053fbfdbbb2f3f25f81631687d7b857:0

Code:
OP_DUP
OP_HASH160
2ffb13a67da34b06da4297d9dc25e5953e658a7b
OP_EQUALVERIFY
OP_SWAP
OP_CHECKSIG

(I am too lazy to research everything myself. But this transaction is the most beautiful one in the blockchain I think)
1576426340
Hero Member
*
Offline Offline

Posts: 1576426340

View Profile Personal Message (Offline)

Ignore
1576426340
Reply with quote  #2

1576426340
Report to moderator
1576426340
Hero Member
*
Offline Offline

Posts: 1576426340

View Profile Personal Message (Offline)

Ignore
1576426340
Reply with quote  #2

1576426340
Report to moderator
1576426340
Hero Member
*
Offline Offline

Posts: 1576426340

View Profile Personal Message (Offline)

Ignore
1576426340
Reply with quote  #2

1576426340
Report to moderator
According to NIST and ECRYPT II, the cryptographic algorithms used in Bitcoin are expected to be strong until at least 2030. (After that, it will not be too difficult to transition to different algorithms.)
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1576426340
Hero Member
*
Offline Offline

Posts: 1576426340

View Profile Personal Message (Offline)

Ignore
1576426340
Reply with quote  #2

1576426340
Report to moderator
gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2898
Merit: 2865



View Profile
December 26, 2016, 10:38:33 PM
 #2

An ECDSA signature itself does not prove knowledge of a discrete log.

You can pick a random message and a random signature  then compute the public key this signature,message pair would be valid for.

To accomplish this, you must-- of course-- make sure the message does not contain any commitment to the public key.

Bitcoin's signatures include a commitment to the scriptPubkey-- but nothing requires you to have the EC public key there.

This cute construction is not secure: if you'd seen that txn before confirmation you could have modified the destination and computed a new pubkey.

If you take a look at Roconnor's covenants post you'll see he uses the same kind of pubkey recovery to turn checksig into an operation for verifying a hash of the masked transaction-- which otherwise the script doesn't have access to.
DannyHamilton
Legendary
*
Offline Offline

Activity: 2282
Merit: 1585



View Profile
December 28, 2016, 01:28:35 AM
 #3

An ECDSA signature itself does not prove knowledge of a discrete log.

You can pick a random message and a random signature  then compute the public key this signature,message pair would be valid for.

To accomplish this, you must-- of course-- make sure the message does not contain any commitment to the public key.

Bitcoin's signatures include a commitment to the scriptPubkey-- but nothing requires you to have the EC public key there.

This cute construction is not secure: if you'd seen that txn before confirmation you could have modified the destination and computed a new pubkey.

If you take a look at Roconnor's covenants post you'll see he uses the same kind of pubkey recovery to turn checksig into an operation for verifying a hash of the masked transaction-- which otherwise the script doesn't have access to.

amaclin already knew all of this, and almost certainly created this transaction himself.

Thank you for taking the time to explain it to everyone else that looks at this thread.

amaclin
Legendary
*
Offline Offline

Activity: 1260
Merit: 1002


View Profile
December 28, 2016, 07:24:41 AM
Last edit: December 28, 2016, 08:47:52 AM by amaclin
 #4

amaclin already knew all of this,
Not all, but the best way to study and teach is asking questions.

and almost certainly created this transaction himself.
You are wrong.
You can google the txid and find the creator. His nickname is "arubi"
DannyHamilton
Legendary
*
Offline Offline

Activity: 2282
Merit: 1585



View Profile
December 28, 2016, 03:32:09 PM
 #5

amaclin already knew all of this,
Not all, but the best way to study and teach is asking questions.

and almost certainly created this transaction himself.
You are wrong.

Perhaps.  Perhaps not.  But it wouldn't be the first time you posted something here wanting someone to explain what you created rather than explaining it yourself.

You can google the txid and find the creator. His nickname is "arubi"

Certainly, but I can't tell whether you are "arubi" or not.

amaclin
Legendary
*
Offline Offline

Activity: 1260
Merit: 1002


View Profile
December 28, 2016, 03:43:57 PM
 #6

But it wouldn't be the first time you posted something here wanting someone to explain
Is it forbidden by national laws, forum rules or religious ethics?  Grin

Let's assume that I am a school teacher.
Most of teachers ask the questions already knowing the answers.
The best of them ask questions without a knowledge of correct answer.

The point is to teach the students about something new and interesting.
If you are not interested in bitcoin script abilities you can chat in 'Marketplace' section
of this forum about bitcoin price on exchanges.

By the way.
Can you explain in terms of addition/multiplication on EC how to create such address?
I am still looking for the answer.
piotr_n
Legendary
*
Offline Offline

Activity: 2016
Merit: 1054


aka tonikt


View Profile WWW
December 28, 2016, 05:33:32 PM
 #7

I found it interesting.
Thanks for starting this topic, @amaclin

It intrigued me how one can make a valid signature before having the message.
Thanks for explaining, @gmaxwell

Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.
PGP fingerprint: AB9E A551 E262 A87A 13BB  9059 1BE7 B545 CDF3 FD0E
gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2898
Merit: 2865



View Profile
December 28, 2016, 10:59:27 PM
 #8

Arubi doesn't have a bitcointalk account, and saw others being blamed for their transaction and asked me to post this:

Code:
mw1vkYok3eGrccuMx5Ztbj3RH6Pyrb8b8z H5Fm9/Ejebxv5KybIf+hUgGcubVp3B6bxcl7RVMLUS7EABFn75VsV+S+sNW5Oc02M/awPv8tHAeIS+PJtU5qVyA= "I am not amaclin :) : https://gist.github.com/fivepiece/f39de978f5fb94b08b54f33db5e42d9a  -  arubi"
amaclin
Legendary
*
Offline Offline

Activity: 1260
Merit: 1002


View Profile
January 08, 2017, 02:06:00 PM
 #9

even more fucking magic here:
testnet address: 2N1L2bubWhfQd7ZkV31fw9VnFt45bHGZ39n

I've spent couple of days to resolve the same problem as
https://github.com/bitcoin-core/secp256k1/issues/419
and finally got it
https://testnet.smartbit.com.au/tx/c6c232a36395fa338da458b86ff1327395a9afc28c5d2daa4273e410089fd433
DuddlyDoRight
Sr. Member
****
Offline Offline

Activity: 318
Merit: 250



View Profile WWW
January 08, 2017, 05:13:01 PM
 #10

You could probably make an attack using this by just implementing a passive handler in some mining software and having decent throughput to increase probability of being first if anyone ever uses it.

I was looking in to similar stuff a while back when I was basically fuzzing whitelisted blockchain scripts.. It kind of falls under the throughput prerequisite like double spending does though..

It'd probably be a waste of time though because only devs would put something like this out there and they wouldn't do it with anything profitable.. An attacker would be better off looking for memory corruption in block handlers of popular wallet software..

I have faith that one day this forum will get threads where people won't just repeat their previous posts or what others have already stated in the same thread. Also that people will stop acting like BTC is toy-money and start holding vendors accountable. Naive? Maybe.
arubi
Newbie
*
Offline Offline

Activity: 31
Merit: 0


View Profile
January 11, 2017, 11:26:38 AM
Last edit: January 11, 2017, 03:43:19 PM by arubi
 #11


mw1vkYok3eGrccuMx5Ztbj3RH6Pyrb8b8z ILuXAeNs5Huml35IlLrDRP2aMTjdSOH7Lcx2NzN6xdy1fvNlcluhEQdlcOE8l4TmsX5pXmvC/dXoa/pMenmBBx8= "thank you gmaxwell for passing this message for me: https://bitcointalk.org/index.php?topic=1729534.msg17330531#msg17330531.  I have registered 'arubi' in bitcointalk."

even more fucking magic here:
testnet address: 2N1L2bubWhfQd7ZkV31fw9VnFt45bHGZ39n

I've spent couple of days to resolve the same problem as
https://github.com/bitcoin-core/secp256k1/issues/419
and finally got it
https://testnet.smartbit.com.au/tx/c6c232a36395fa338da458b86ff1327395a9afc28c5d2daa4273e410089fd433


The redeemScript in your transaction is :

Code:
21026D2204A9535443657A88A0724FBD49A0E78D305F50A82F2CC9DD9BEA10A6C5CD0C093006020101020101017CAC

Which is really :

Code:
0x21 026D2204A9535443657A88A0724FBD49A0E78D305F50A82F2CC9DD9BEA10A6C5CD
0x0C 093006020101020101017CAC

So no actual checksig is being done, it's just push only script that anyone can spend (by knowing the preimage to the hash160 of the p2sh address!).
amaclin
Legendary
*
Offline Offline

Activity: 1260
Merit: 1002


View Profile
January 11, 2017, 11:31:36 AM
 #12

So no actual checksig is being done, it's just push only script that anyone can spend (by knowing the preimage to the hash160 of the p2sh address!).
checksig is there Smiley
try to
Code:
decodescript 093006020101020101017CAC
because this script is also executed
arubi
Newbie
*
Offline Offline

Activity: 31
Merit: 0


View Profile
January 11, 2017, 11:36:59 AM
 #13

So no actual checksig is being done, it's just push only script that anyone can spend (by knowing the preimage to the hash160 of the p2sh address!).
checksig is there Smiley
try to
Code:
decodescript 093006020101020101017CAC
because this script is also executed

Ah of course, my bad Smiley
I mistreated the whole script as the redeemscript.

2N1L2bubWhfQd7ZkV31fw9VnFt45bHGZ39n == p2sh(093006020101020101017CAC)

You're correct.
arubi
Newbie
*
Offline Offline

Activity: 31
Merit: 0


View Profile
January 11, 2017, 12:52:56 PM
 #14

How about some more related magic?

Code:
bitcoin-cli -testnet verifymessage n3pipvo2QLdpA7fT6rdxpK4SwtQMU7NjTW HwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE= "more magic!"

But also..

Code:
moRMb9NywwQK11DGACpbyCnF9PHUYi4T8j GwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE= "more magic!"

And even..

Code:
mhiPJJ6S8a4esoZ5vg7sLr8CUQ4ucAiJh4 IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE= "more magic!"
mmXG3SFKMh97itFinputYGmTTamZ6aNWuW HAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE= "more magic!"

Four addresses that return true for validating the same signature and message, this is expected, but then...

Code:
mfrhby2UMRhbRtH9b6eojUzJmKz2Cv3jeZ GwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"
mkgdQagihvyJ4p22iXuow9JefTfJMdEH1d HwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"
mxAbUQiehf7nNcxLQ7snrbwu2qA9qKSeEG HAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"
mzYEkoB9Mh4N376U4gVwL2MvQw9sJT1GB7 IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"
miZSVBRAYM6M6YauJP9oF8jnsCewQjNDrU HQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"
mtbsZRThdRAX3A95HqhqQPiqQEntaHu5jj IQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"
myJ2iF9WxfMmi71B25jMVX9wVzfkHiG9mg HgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"
mg28w5mhexA31huumnBVX4VvR9fRupSWot IgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"
amaclin
Legendary
*
Offline Offline

Activity: 1260
Merit: 1002


View Profile
January 11, 2017, 12:58:59 PM
 #15

I do not know how the digest is calculated for bitcoin messages.
But your eight signatures do not seem "the same".
So, this is not real magic  Grin
arubi
Newbie
*
Offline Offline

Activity: 31
Merit: 0


View Profile
January 11, 2017, 01:10:24 PM
 #16

All 4 in the begnning are the same ( r=1, s=1), and all 8 afterwards are the same (r=4, s=4):

Code:
1b 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004
1f 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004
1c 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004
20 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004
1d 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004
21 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004
1e 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004
22 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004

The first byte is something Core prepends to the signature, but is not part of it (it is not signed also)
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!