Bitcoin Forum
December 12, 2019, 01:29:09 AM *
News: Latest Bitcoin Core release: 0.19.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Question about Bitcoin Digital signatures  (Read 219 times)
zebox6
Newbie
*
Offline Offline

Activity: 16
Merit: 1


View Profile
December 14, 2018, 07:15:00 PM
Last edit: December 14, 2018, 07:52:12 PM by zebox6
Merited by ETFbitcoin (1)
 #1

Hello guys,

I have a question regarding Bitcoin digital signatures :

On the Bitcoin network, when

- Bob sends a transaction to Alice's public Key and signs using his private key, what is the method used to sign ? In my understanding, the transaction would be hashed in SHA 256 and then encoded with the private key.

- Alice receives the transaction and needs to verify its validity : she decrypt the signature using Bob's public key, and this is where I don't really understand anymore. Like when she decrypts the signature, she then has the hash of the transaction right ? Because the transaction was hashed by Bob, so she can't immedialty get the original transaction at this moment, or she can ? So how can she get the original transaction with the hash of this transaction, because we can't reverse it, right ? Like if a document is hashed and encoded with a private key, then if I decrypt it with a public key, will I get the original document, or will I just get the hash of this document ?

- When she finally gets access to the transaction, then she would have to hash the transaction she received to compare the result with the hash she got ? This way she is able to know if it's bob who sent the document and if the document wasn't modified, right ?

Thank you to the guys who will respond, if any Smiley
I'm not really into cryptography or programming so it can be pretty hard to understand sometimes.
1576114149
Hero Member
*
Offline Offline

Posts: 1576114149

View Profile Personal Message (Offline)

Ignore
1576114149
Reply with quote  #2

1576114149
Report to moderator
1576114149
Hero Member
*
Offline Offline

Posts: 1576114149

View Profile Personal Message (Offline)

Ignore
1576114149
Reply with quote  #2

1576114149
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
ETFbitcoin
Legendary
*
Offline Offline

Activity: 1848
Merit: 2123

Use SegWit and enjoy lower fees.


View Profile WWW
December 14, 2018, 08:06:38 PM
 #2

OP, i think you're confused between hash, encryption and signature.

- Bob sends a transaction to Alice's public Key and signs using his private key, what is the method used to sign ? In my understanding, the transaction would be hashed in SHA 256 and then encoded with the private key.

No, AFAIK the method to sign bitcoin transaction is by using ECDSA or secp256k1 with Bob's private key. Hashing is used to make identity or locate transaction easier.

- Alice receives the transaction and needs to verify its validity : she decrypt the signature using Bob's public key, and this is where I don't really understand anymore. Like when she decrypts the signature, she then has the hash of the transaction right ? Because the transaction was hashed by Bob, so she can't immedialty get the original transaction at this moment, or she can ? So how can she get the original transaction with the hash of this transaction, because we can't reverse it, right ? Like if a document is hashed and encoded with a private key, then if I decrypt it with a public key, will I get the original document, or will I just get the hash of this document ?

- When she finally gets access to the transaction, then she would have to hash the transaction she received to compare the result with the hash she got ? This way she is able to know if it's bob who sent the document and if the document wasn't modified, right ?

- Alice verify the transaction using Bob's public key (which is included on transaction). There's no such thing such as decrypt signature.
- Bitcoin transaction contains Alice's bitcoin address, so she can get the transaction after it's broadcasted by Bob. Alice's wallet simply need to check blockchain to see if there are any transaction which contain Alice's address.

- You can't use hashing to encrypt and decrypt a file. Hashing is mainly used to proof the file/message isn't tampered, even though signature is better at this task.

achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 1974
Merit: 2951


bc1qshxkrpe4arppq89fpzm6c0tpdvx5cfkve2c8kl


View Profile WWW
December 14, 2018, 11:58:20 PM
Merited by ETFbitcoin (1)
 #3

OP, i think you're confused between hash, encryption and signature.

- Bob sends a transaction to Alice's public Key and signs using his private key, what is the method used to sign ? In my understanding, the transaction would be hashed in SHA 256 and then encoded with the private key.

No, AFAIK the method to sign bitcoin transaction is by using ECDSA or secp256k1 with Bob's private key. Hashing is used to make identity or locate transaction easier.
Bitcoin uses the Elliptic Curve Digital Signature Algorithm (ECDSA) with the curve secp256k1. Part of ECDSA is that the message to be signed is hashed.

zebox6
Newbie
*
Offline Offline

Activity: 16
Merit: 1


View Profile
December 15, 2018, 07:54:56 PM
 #4

Thank you for answering guys Smiley

So if I get it right,

- The transaction is signed with Bob's private key + ECDSA (if you know the process or have an article about it, I would be interested)

- Alice can decode the signature with Bob's public key.


- So,  if the transaction is not hashed, how can Alice know if the transaction has been modified ?

darosior
Full Member
***
Offline Offline

Activity: 209
Merit: 256



View Profile WWW
December 15, 2018, 08:39:49 PM
Merited by ETFbitcoin (1)
 #5

Hi,

ECDSA stands for Elliptic Curve Digital Signature Algorithm and is therefore an algorithm used to create a signature from a message (here the transaction).
Now if Bob makes a transaction, the transaction is signed with a Digital Signature Algorithm using an Elliptic Curve and more precisely the secp256k1 curve (https://en.bitcoin.it/wiki/Secp256k1).
Quote
- Alice can decode the signature with Bob's public key.
Actually she does not need to do that. Here is roughly what happens :
- Bob constructs a transaction. A transaction unlocks some coins in order to lock them (or part of them) so that only the receiver private key can unlock them. Actually being spent some coins to your address, it is just that someone made a transaction that locks coin that only your private key can unlock.
- Bob signs the transaction. To sign a message you must provide a private key, and unlocking some coins is, roughly, providing a valid signature (meaning "Hey, I have the private key !").
- The signature is then appended to the transaction (in a special field).
- The transaction is broadcasted to the whole Bitcoin network. (Alice knows about the transaction but her wallet says it is unconfirmed)
- The transaction is put in a block by a miner. (Alice know sees the transaction as confirmed)

Alice does not have to decode the signature, when the transaction is broadcasted every node of the network checks that the signature that Bob provided to unlock the coins is valid. A valid signature is a one which is from a private key corresponding to the address for which the coin have been locked.

Quote
- So,  if the transaction is not hashed, how can Alice know if the transaction has been modified ?
Actually hashing the message is part of ECDSA, the transaction (=the message) is hashed (with a double sha256) and this is the hash which is signed.

English is not my first language so I don't know if I've been clear enough.

achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 1974
Merit: 2951


bc1qshxkrpe4arppq89fpzm6c0tpdvx5cfkve2c8kl


View Profile WWW
December 15, 2018, 10:53:11 PM
Merited by ETFbitcoin (1)
 #6

Thank you for answering guys Smiley

So if I get it right,

- The transaction is signed with Bob's private key + ECDSA (if you know the process or have an article about it, I would be interested)
Close. The transaction is signed with Bob's private key using ECDSA. ECDSA is an algorithm. You can read about how it works on Wikipedia

- Alice can decode the signature with Bob's public key.
Alice verifies the signature with Bob's public key (provided in the transaction). She does not just decode it, but decoding (interpreting the values in a piece of data) is necessary to get the values inside of the signature.

- So,  if the transaction is not hashed, how can Alice know if the transaction has been modified ?
Part of ECDSA is hashing the message to be signed. In this case, that is the transaction. The message hash itself is not included anywhere. However, because the message is provided (it's the transaction), we can easily compute the hash of it in order to verify the signature. if the transaction were modified, the hash would not match the hash that was used to create the signature, so the signature would not validate to true. Thus the transaction would be invalid.

zebox6
Newbie
*
Offline Offline

Activity: 16
Merit: 1


View Profile
December 15, 2018, 11:21:15 PM
Last edit: December 15, 2018, 11:36:32 PM by zebox6
 #7

Thank you for this high-level explanation @darosior, @achow101 !
I understand it good now.

I just have a last interrogation about the validity check of signature and the hash:

1) Does Alice  (or the nodes of the network ?) verifies the signature, by checking if it can unlock Bob's public key provided in the transaction ?

2) The ECDSA algorithm hash the transaction and creates a signature using Bob's private key. Alice checks the signature using bob's public key so she is sure Bob sent the transaction, and verifies if the transaction was modified by trying to hash the transaction to see if the hash is the same that Bob sent to her ? But if you say that "the hash itself is not included anywhere", how can Alice compare the 2 hashs ?

I hope my questions are clear, I did my best ^^
darosior
Full Member
***
Offline Offline

Activity: 209
Merit: 256



View Profile WWW
December 15, 2018, 11:28:46 PM
 #8

Quote
Does the nodes of the network check that the signature is from the private key of the sender, by checking if it can unlock his public key provided in the transaction ?
Yes. Every node receiving a transaction on the network verifies it before broadcasting it (verifying includes verifying its encoding, its signature(s) validity, etc..).

zebox6
Newbie
*
Offline Offline

Activity: 16
Merit: 1


View Profile
December 16, 2018, 04:16:06 PM
 #9

Quote
Does the nodes of the network check that the signature is from the private key of the sender, by checking if it can unlock his public key provided in the transaction ?
Yes. Every node receiving a transaction on the network verifies it before broadcasting it (verifying includes verifying its encoding, its signature(s) validity, etc..).
Great Smiley

And would you have a clue for my question 2 ? (I edited after I published it)
Coding Enthusiast
Hero Member
*****
Offline Offline

Activity: 711
Merit: 1202


Novice C♯ Coder


View Profile WWW
December 16, 2018, 05:07:34 PM
Merited by ETFbitcoin (1)
 #10

Elliptic Curve Cryptography is just math, and in the mathematical operations you are basically working with numbers. So when you want to sign something you convert that into a number and then perform your calculations using that number.
Signing needs to happen on anything. It can be 1 byte or it can be 1000 bytes. You can't calculate if everything else is 32 byte while you message size varies. So what you do is that you find a way to "shrink" the size of that message you want to sign to an always-the-same size. That is where Hash function comes in.
The hash function which is chosen needs to be secure so that there is no collision risk and since security level of secp256k1 curve is 128 bit we need to choose a hash function that has at least 128 bit security level. SHA256 has 258/2 bit or 128 bit security level. So it is used for bitcoin.

Now this "message" can be anything. In bitcoin when someone creates a transaction and signs it, there is a standard about what that "message" should be so everyone can easily calculate it too. In short it is serialization of the transaction with its script signature replaced by previous output's scriptpub and then hashed twice using SHA256.
So in other words to answer your second question above, the hash doesn't need to be included anywhere, it is easily calculated.

Projects List+Suggestion box
Donation link using BIP21
Bech32 Donation link!
BitcoinTransactionTool (0.11.0):  Ann - Source Code
Watch Only Bitcoin Wallet (supporting SegWit) (3.1.0):  Ann - Source Code
SharpPusher (broadcast transactions) (0.10.0): Ann - Source Code

darosior
Full Member
***
Offline Offline

Activity: 209
Merit: 256



View Profile WWW
December 16, 2018, 05:11:42 PM
Merited by ETFbitcoin (1)
 #11

Assuming your question 2 is
Quote
2) The ECDSA algorithm hash the transaction and creates a signature using Bob's private key. Alice checks the signature using bob's public key so she is sure Bob sent the transaction, and verifies if the transaction was modified by trying to hash the transaction to see if the hash is the same that Bob sent to her ? But if you say that "the hash itself is not included anywhere", how can Alice compare the 2 hashs ?
Alice does not compare the 2 hashs. It's as simple as that, I think you misunderstood how are "sent" the coins. When Bob sends some coins to Alice, he sends a transaction unlocking some coins that have been locked for him, in order to lock them for Alice, to the whole network. Why send it to the whole network ? Because neither Alice or Bob have something such as coins on their computer, if some coins are transferred from Bob to Alice the whole network (or most of it) must verify the transaction then verify a block including this transaction which change the state of the global ledger and especially the coins that can be unlocked by Bob or Alice private key.

Actually, the hash is used and it is what is called the txid, but it is not what it secures the transaction in that case.

zebox6
Newbie
*
Offline Offline

Activity: 16
Merit: 1


View Profile
December 17, 2018, 02:48:50 PM
 #12

Thanks for your time guys, everything is clear now !
It's great how people help each other on this forum Smiley

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!