Some magic?

[amaclin]

Can anyone explain the magic math in this transaction?  
0895e97e9c4ce7ebe04e15e0835bb0788053fbfdbbb2f3f25f81631687d7b857

https://test.webbtc.com/script/0895e97e9c4ce7ebe04e15e0835bb0788053fbfdbbb2f3f25f81631687d7b857:0

Code:

OP_DUP
OP_HASH160
2ffb13a67da34b06da4297d9dc25e5953e658a7b
OP_EQUALVERIFY
OP_SWAP
OP_CHECKSIG

(I am too lazy to research everything myself. But this transaction is the most beautiful one in the blockchain I think)

[gmaxwell]

An ECDSA signature itself does not prove knowledge of a discrete log.

You can pick a random message and a random signature  then compute the public key this signature,message pair would be valid for.

To accomplish this, you must-- of course-- make sure the message does not contain any commitment to the public key.

Bitcoin's signatures include a commitment to the scriptPubkey-- but nothing requires you to have the EC public key there.

This cute construction is not secure: if you'd seen that txn before confirmation you could have modified the destination and computed a new pubkey.

If you take a look at Roconnor's covenants post you'll see he uses the same kind of pubkey recovery to turn checksig into an operation for verifying a hash of the masked transaction-- which otherwise the script doesn't have access to.

[DannyHamilton]

An ECDSA signature itself does not prove knowledge of a discrete log.

You can pick a random message and a random signature  then compute the public key this signature,message pair would be valid for.

To accomplish this, you must-- of course-- make sure the message does not contain any commitment to the public key.

Bitcoin's signatures include a commitment to the scriptPubkey-- but nothing requires you to have the EC public key there.

This cute construction is not secure: if you'd seen that txn before confirmation you could have modified the destination and computed a new pubkey.

If you take a look at Roconnor's covenants post you'll see he uses the same kind of pubkey recovery to turn checksig into an operation for verifying a hash of the masked transaction-- which otherwise the script doesn't have access to.

amaclin already knew all of this, and almost certainly created this transaction himself.

Thank you for taking the time to explain it to everyone else that looks at this thread.

[amaclin]

amaclin already knew all of this,

Not all, but the best way to study and teach is asking questions.

and almost certainly created this transaction himself.

You are wrong.
You can google the txid and find the creator. His nickname is "arubi"

[DannyHamilton]

amaclin already knew all of this,

Not all, but the best way to study and teach is asking questions.

and almost certainly created this transaction himself.

You are wrong.

Perhaps.  Perhaps not.  But it wouldn't be the first time you posted something here wanting someone to explain what you created rather than explaining it yourself.

You can google the txid and find the creator. His nickname is "arubi"

Certainly, but I can't tell whether you are "arubi" or not.

[amaclin]

But it wouldn't be the first time you posted something here wanting someone to explain

Is it forbidden by national laws, forum rules or religious ethics?  

Let's assume that I am a school teacher.
Most of teachers ask the questions already knowing the answers.
The best of them ask questions without a knowledge of correct answer.

The point is to teach the students about something new and interesting.
If you are not interested in bitcoin script abilities you can chat in 'Marketplace' section
of this forum about bitcoin price on exchanges.

By the way.
Can you explain in terms of addition/multiplication on EC how to create such address?
I am still looking for the answer.

[piotr_n]

I found it interesting.
Thanks for starting this topic, @amaclin

It intrigued me how one can make a valid signature before having the message.
Thanks for explaining, @gmaxwell

[gmaxwell]

Arubi doesn't have a bitcointalk account, and saw others being blamed for their transaction and asked me to post this:

Code:

mw1vkYok3eGrccuMx5Ztbj3RH6Pyrb8b8z H5Fm9/Ejebxv5KybIf+hUgGcubVp3B6bxcl7RVMLUS7EABFn75VsV+S+sNW5Oc02M/awPv8tHAeIS+PJtU5qVyA= "I am not amaclin :) : https://gist.github.com/fivepiece/f39de978f5fb94b08b54f33db5e42d9a  -  arubi"

[amaclin]

even more fucking magic here:
testnet address: 2N1L2bubWhfQd7ZkV31fw9VnFt45bHGZ39n

I've spent couple of days to resolve the same problem as
https://github.com/bitcoin-core/secp256k1/issues/419
and finally got it
https://testnet.smartbit.com.au/tx/c6c232a36395fa338da458b86ff1327395a9afc28c5d2daa4273e410089fd433

[DuddlyDoRight]

You could probably make an attack using this by just implementing a passive handler in some mining software and having decent throughput to increase probability of being first if anyone ever uses it.

I was looking in to similar stuff a while back when I was basically fuzzing whitelisted blockchain scripts.. It kind of falls under the throughput prerequisite like double spending does though..

It'd probably be a waste of time though because only devs would put something like this out there and they wouldn't do it with anything profitable.. An attacker would be better off looking for memory corruption in block handlers of popular wallet software..

[arubi]

mw1vkYok3eGrccuMx5Ztbj3RH6Pyrb8b8z ILuXAeNs5Huml35IlLrDRP2aMTjdSOH7Lcx2NzN6xdy1fvNlcluhEQdlcOE8l4TmsX5pXmvC/dXoa/pMenmBBx8= "thank you gmaxwell for passing this message for me: https://bitcointalk.org/index.php?topic=1729534.msg17330531#msg17330531.  I have registered 'arubi' in bitcointalk."

even more fucking magic here:
testnet address: 2N1L2bubWhfQd7ZkV31fw9VnFt45bHGZ39n

I've spent couple of days to resolve the same problem as
https://github.com/bitcoin-core/secp256k1/issues/419
and finally got it
https://testnet.smartbit.com.au/tx/c6c232a36395fa338da458b86ff1327395a9afc28c5d2daa4273e410089fd433

The redeemScript in your transaction is :

Code:

21026D2204A9535443657A88A0724FBD49A0E78D305F50A82F2CC9DD9BEA10A6C5CD0C093006020101020101017CAC

Which is really :

Code:

0x21 026D2204A9535443657A88A0724FBD49A0E78D305F50A82F2CC9DD9BEA10A6C5CD
0x0C 093006020101020101017CAC

So no actual checksig is being done, it's just push only script that anyone can spend (by knowing the preimage to the hash160 of the p2sh address!).

[amaclin]

So no actual checksig is being done, it's just push only script that anyone can spend (by knowing the preimage to the hash160 of the p2sh address!).

checksig is there
try to

Code:

decodescript 093006020101020101017CAC

because this script is also executed

[arubi]

So no actual checksig is being done, it's just push only script that anyone can spend (by knowing the preimage to the hash160 of the p2sh address!).

checksig is there
try to

Code:

decodescript 093006020101020101017CAC

because this script is also executed

Ah of course, my bad
I mistreated the whole script as the redeemscript.

2N1L2bubWhfQd7ZkV31fw9VnFt45bHGZ39n == p2sh(093006020101020101017CAC)

You're correct.

[arubi]

How about some more related magic?

Code:

bitcoin-cli -testnet verifymessage n3pipvo2QLdpA7fT6rdxpK4SwtQMU7NjTW HwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE= "more magic!"

But also..

Code:

moRMb9NywwQK11DGACpbyCnF9PHUYi4T8j GwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE= "more magic!"

And even..

Code:

mhiPJJ6S8a4esoZ5vg7sLr8CUQ4ucAiJh4 IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE= "more magic!"
mmXG3SFKMh97itFinputYGmTTamZ6aNWuW HAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE= "more magic!"

Four addresses that return true for validating the same signature and message, this is expected, but then...

Code:

mfrhby2UMRhbRtH9b6eojUzJmKz2Cv3jeZ GwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"
mkgdQagihvyJ4p22iXuow9JefTfJMdEH1d HwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"
mxAbUQiehf7nNcxLQ7snrbwu2qA9qKSeEG HAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"
mzYEkoB9Mh4N376U4gVwL2MvQw9sJT1GB7 IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"
miZSVBRAYM6M6YauJP9oF8jnsCewQjNDrU HQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"
mtbsZRThdRAX3A95HqhqQPiqQEntaHu5jj IQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"
myJ2iF9WxfMmi71B25jMVX9wVzfkHiG9mg HgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"
mg28w5mhexA31huumnBVX4VvR9fRupSWot IgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"

[amaclin]

I do not know how the digest is calculated for bitcoin messages.
But your eight signatures do not seem "the same".
So, this is not real magic  

[arubi]

All 4 in the begnning are the same ( r=1, s=1), and all 8 afterwards are the same (r=4, s=4):

Code:

1b 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004
1f 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004
1c 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004
20 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004
1d 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004
21 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004
1e 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004
22 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004

The first byte is something Core prepends to the signature, but is not part of it (it is not signed also)