How to prove to someone that an Bitcoin address (or UTXO) belongs to you?

[Staizita]

 How to prove to someone that an Bitcoin address (or UTXO) belongs to you?

 Are there  (ZK) methods to prove it?

 Does anyone know?
 

[1713906561]

1713906561

[1713906561]

1713906561

[CodyAlfaridzi]

Sign a message with your Bitcoin address.

How to sign a message?!

[aliashraf]

How to prove to someone that an Bitcoin address (or UTXO) belongs to you?

 Are there  (ZK) methods to prove it?

 Does anyone know?
 

You need to:
1- generate a new address/wallet
2- announce the address to other party
3- transfer funds from the original utxo to new address

Note: Signing a message with your private key is not safe because you need to disclose the corresponding pubkey (which your address is its RIPEMD-160 hash).

[khaled0111]

...

As aliashraf said, it is better to send a small amount of btc (dust) you agree on on advance to a new address generated by the other party.

I don't think exposing your pubkey by signing a message is a real risk though, at least for now, but "better be safe than sorry".

[AB de Royse777]

AFAIK ZKP isn't possible, either use method mentioned by CodyAlfaridzi or aliashraf

Note: Signing a message with your private key is not safe because you need to disclose the corresponding pubkey (which your address is its RIPEMD-160 hash).

Good point, but it's not like Quantum Computer which can guess ECDSA's private key from it's public exist (yet).

After reading the response about signing an address, is it really risky exposing pubkey? I mean even with the Quantum Computing? Just wanted to 100% sure coz I see people sign their address to prove ownership of the address and I have done that to in several occasions.

And I bet most of us did the same.

[aliashraf]

AFAIK ZKP isn't possible, either use method mentioned by CodyAlfaridzi or aliashraf

Note: Signing a message with your private key is not safe because you need to disclose the corresponding pubkey (which your address is its RIPEMD-160 hash).

Good point, but it's not like Quantum Computer which can guess ECDSA's private key from it's public exist (yet).

Although QC is not commercially available for now in cases that the wallet holds large amounts of bitcoin and is supposed to be untouched for years (like Satoshi's wallets) disclosing public key is not recommended because:

1- Bitcoin uses ECDSA 256k1 which is not considered very strong compared to electronic signature schemes currently employed with 2048 bits length and more. Besides QC, traditional supercomputers and sophisticated algorithms increasingly push for breaking longer and longer key lengths in feasible time.

2- Many implementation bugs have been identified (and fixed, thanks god) in ECDSA key generation libraries that allow hackers to run side channel attacks against them, there is no guarantee for this not to occur again, a disclosed public key provides the basis and multiple instances of signed messages escalates the problem.

3- Many authors have suggested conspiracy theories about NSA implementing back doors in the whole ECDSA algorithm and/or related software/hardware.

[Jean_Luc]

No risk to expose the pubkey. No powerful enough quantum computer exists today. Creating a true 256 qbit register is technically as hard as solving ECDLP256 with a classic supercomputer. If you consider a specific supercomputer (based on ASIC dedicated to ECC) with an equivalent power of the whole BTC network, solving a single key would require several billion years.

[aliashraf]

No risk to expose the pubkey. No powerful enough quantum computer exists today. Creating a true 256 qbit register is technically as hard as solving ECDLP256 with a classic supercomputer. If you consider a specific supercomputer (based on ASIC dedicated to ECC) with an equivalent power of the whole BTC network, solving a single key would require several billion years.

QC is not the problem (not now) but your estimate about "billions of years" is not correct. There are good reasons to avoid re-using bitcoin addresses:

Breaking ESDA is about prime factorization and not brute forcing sha2, hence it has nothing to do with ASICs used in bitcoin network. It is an active research field in mathematics and although it is hard to believe in discovery of a magical algorithm improvements are absolutely possible. Meanwhile Moore law is still working and attack costs are decreasing constantly.

More importantly, it is not just about the algorithm itself, side channel/implementation dependent attacks are another serious class of threats.

And we have conspiracy theories about NSA and its history of implanting back doors in its products.

Finally, there is no reason to encourage disclosure of public keys and becoming exposed to various range of potential attacks specially when it comes to sensitive utxos which are supposed to stay live for long times and hold significant amounts of bitcoin.

[pooya87]

You need to:
1- generate a new address/wallet
2- announce the address to other party
3- transfer funds from the original utxo to new address

this method is not good at all because first of all it forces you to create an unnecessary on-chain transaction and pay fees, specially nowadays that fees are shooting up again.
secondly it is not reliable since it can be faked. you have no way of knowing whether the sending address or receiving address belong to the person trying to prove ownership.

Note: Signing a message with your private key is not safe because you need to disclose the corresponding pubkey (which your address is its RIPEMD-160 hash).

you don't exactly disclose your pubkey, not directly anyways. you only reveal your signature and  your public key can be found from that. and more importantly you can NOT call it "not safe" because it is perfectly safe, as safe as millions of translations that have been made so far. in other words just because some day ECDSA may be broken doesn't mean it is not safe today.

[Jean_Luc]

QC is not the problem (not now) but your estimate about "billions of years" is not correct. There are good reasons to avoid re-using bitcoin addresses:

Breaking ESDA is about prime factorization and not brute forcing sha2, hence it has nothing to do with ASICs used in bitcoin network. It is an active research field in mathematics and although it is hard to believe in discovery of a magical algorithm improvements are absolutely possible. Meanwhile Moore law is still working and attack costs are decreasing constantly.

This was just a comparison, if you consider having an equivalent power to the whole BTC network with ASIC dedicated to ECC (not SHA2) , breaking a single key would require several billions of years using the faster algorithm known today.
I agree with you, the most probable thing is that someone find the way to solve ECDLP in polynomial time and space, in that case, bitcoin would die immediately.

More importantly, it is not just about the algorithm itself, side channel/implementation dependent attacks are another serious class of threats.

In that case, your address is also not safe.

And we have conspiracy theories about NSA and its history of implanting back doors in its products.

Don't worry about that ! You can check the order of the curve, its embedding degree, primitive roots of unity, etc,... all is ok !

Finally, there is no reason to encourage disclosure of public keys and becoming exposed to various range of potential attacks specially when it comes to sensitive utxos which are supposed to stay live for long times and hold significant amounts of bitcoin.

There is also no reason today to discourage exposure of public key.

[bob123]

1- Bitcoin uses ECDSA 256k1 which is not considered very strong compared to electronic signature schemes currently employed with 2048 bits length and more.

Which 'electronic' signature schemes are you exactly talking about ?
I hope you are not talking about RSA..

2- Many implementation bugs have been identified (and fixed, thanks god) in ECDSA key generation libraries

Like you wrote... in libaries.

Some random developer wrote a buggy libary which allowed room for exploitation.. So.. how is this related to ECDSA / bitcoin at all ?

3- Many authors have suggested conspiracy theories about NSA implementing back doors in the whole ECDSA algorithm and/or related software/hardware.

And the government controls all of our brains with the help of chemtrails!


Please.. for the sake of satoshi.. stop posting so much retarded misinformation. That hurts reading.

[aliashraf]

---

I strongly recommend reading for you instead of posting here. 

The concerns I kisted in my post are not personal, they are common concerns among cryptographers including bitcoiners, Check this one for instance https://git.libssh.org/projects/libssh.git/tree/doc/curve25519-sha256@libssh.org.txt#n4

It is very bad attitude to talk about subjects that one has no background about. In the context of this topic, disclosing public keys is not recommended by prominent bitcoiners exactly because of the security concerns I've mentioned above and your comment is not only worthless but also misleading and causes confusion. Drive safe.

[jak3]

If you have the private key of your wallet then you can use that private key to sign a message. Maybe you have seen the PGP keys out here in this forum before, those are encrypted messages which can be viewed with your public key but can only be unlocked or in this case signed from your private key. And as we know private keys are what truly makes you the owner of the Bitcoin address.
https://bitcoinmagazine.com/articles/bitcoin-address-sign-1399914228/
Try this article to find out more about how this signing addresses works and how to perform them.

[aliashraf]

If you have the private key of your wallet then you can use that private key to sign a message. Maybe you have seen the PGP keys out here in this forum before, those are encrypted messages which can be viewed with your public key but can only be unlocked or in this case signed from your private key. And as we know private keys are what truly makes you the owner of the Bitcoin address.
https://bitcoinmagazine.com/articles/bitcoin-address-sign-1399914228/
Try this article to find out more about how this signing addresses works and how to perform them.

To use a signed message as a proof of ownership of a bitcoin address, you need to disclose the public key behind that address otherwise how the other party would be able to verify your signature?

Disclosing public keys is not recommended practice in bitcoin community (don't take bob123 much serious  ) it is why we discourage address re-use, Actually a very effective proposal about signing multiple utxos (with a same output address) using a single signature has been abandoned just because og its potential of encouraging address re-use.


PGP keys typically use very higher security levels (like 4096 bits)  compared to bitcoin ECDSA 256k1 and it is why people are more relaxed about sharing their public keys.

[PrimeNumber7]

Sign a message with your Bitcoin address.

I don't agree with this and I will explain why:

If you can provide a signature of a signed message, you are only proving you have seen the signature in the past. A well known example of this is CSW providing a signature of one of satoshi's early transaction as a "signed message" to prove he is satoshi. Does this signature prove CSW is satoshi, no it absolutely does not because the signature he provided is public information. Is CSW actually satoshi, I would keep an open mind if presented with additional credible evidence, but in my opinion he is in no way satoshi.

The above is an extreme example. Another example is someone can trick the "real" owner into signing a vague message and presenting that vague signed message as your own. If "Bob" were to be tricked into giving "Jack" the signature to the following message: "This is Bobs address and it is 2:45 PM" then Jack could present himself as being "Bob, and could present this signed message anytime it is shortly after 2:45 PM.

Using similar names, Jack could be willing to help Bob trick others into believing that Bob owns a particular "address" or UTXO, and could provide Bob with a specific signed message that makes others believe the UTXO belongs to Bob.

You could alleviate a lot of the above risk by asking Bob to sign a specific message that contains random data that you ask to be included in the signed message, and you are personally present when Bob receives the specific message you provide up until he provides the message. This will still not 100% guarantee Bob controls the private key associated with the address in question because he could still be communicating with Jack electronically, and would be risky for Bob if he does control the private key because he could be vulnerable to a "$5 wrench" attack.

In short, all providing a signed message will do is prove you have seen the associated signature.

[aliashraf]

You need to:
1- generate a new address/wallet
2- announce the address to other party
3- transfer funds from the original utxo to new address

this method is not good at all because first of all it forces you to create an unnecessary on-chain transaction and pay fees, specially nowadays that fees are shooting up again.
secondly it is not reliable since it can be faked. you have no way of knowing whether the sending address or receiving address belong to the person trying to prove ownership.

Proving ownership of an address is not a common practice to be worried about unnecessary on-chain transactions. It can't be faked because before transferring funds you announce the address to the counter party as your address, just like when you give your receiving address to other people, you don't need to prove that you own your receiving address because it is where the funds are supposed to go.

Note: Signing a message with your private key is not safe because you need to disclose the corresponding pubkey (which your address is its RIPEMD-160 hash).

you don't exactly disclose your pubkey, not directly anyways. you only reveal your signature and  your public key can be found from that. and more importantly you can NOT call it "not safe" because it is perfectly safe, as safe as millions of translations that have been made so far. in other words just because some day ECDSA may be broken doesn't mean it is not safe today.

You eventually disclose your public key and counter party has to check its RIPEMD-160 hash against the address you claim as your property. Once s/he approves your public key as being the real key behind the address, information has leaked and it is not safe as we will see.

As of your safety argument: You are absolutely wrong.
1- Historical transactions have been stoned in the blockchain and it is why they are safe not because of security of ECDSA.

2- ECDSA 256k1 becoming broken "some day"does not imply a magical invention that makes it a piece of cake for average intruder to guess keys in like few seconds or minutes, it means progress in algorithms and hardware that primarily makes it feasible for a large processing power to do the job in polynomial time/space (for instance in weeks or months using few Exa bytes of memory). Bitcoin could safely operate for a couple of months or a year after such progress because the public keys are exposed to this attack in a very short window of time (pending phase of the txn) that won't last more than few minutes. But permanently leaked public keys/re-used addresses are exposed to the attack for months or years.

3- You know that re-using addresses in bitcoin is not recommended, I wonder how do you think about it? Are you a fan of re-using addresses? Why not?

[pooya87]

PGP keys typically use very higher security levels (like 4096 bits)  compared to bitcoin ECDSA 256k1 and it is why people are more relaxed about sharing their public keys.

being bigger does not always translate into being safer. in case of PGP most of them use RSA keys and a 4096 bit RSA key offers nearly the same security than a 256 bit EC key (3072 RSA key has equal strength as 256 bit key used in ECDSA, and 7680 is the same as 384).

As of your safety argument: You are absolutely wrong.

i think you are confusing my reply! i never suggested address-reuse or never said it is "as safe" to reuse them. all i said was that you can't say it is unsafe today just because it can be broken some day.
all your arguments here can be said about hashes too. RIPEMD160 and SHA256 are going to become obsolete some day as they will be broken but you can't say it is unsafe to use them just because some day they will be broken. after all that is how cryptography has always been working for literary thousands of years

[nc50lc]

Lets' go back to the root of this long discussion: exposing the Public key.

Okay, either of the two methods will indirectly expose the address' public key. By spending the UTXO, the user will have to provide a Signature and Public key to the scriptsig.
But as everyone mentioned, it's pretty safe as long as the user hasn't been reusing addresses.
The topic is getting derailed from "How to prove that an address belong to you?" to ECDSA security.

To sum it up, since either is "fine", let's categorize the main question from:

• 1. How to prove to someone that an Bitcoin address belongs to you?
• 2. How to prove to someone that an UTXO belongs to you?

[1] Sign a message.
[2] Sign a message or Spend the actual UTXO using coin control.

[aliashraf]

As of your safety argument: You are absolutely wrong.

i think you are confusing my reply! i never suggested address-reuse or never said it is "as safe" to reuse them. all i said was that you can't say it is unsafe today just because it can be broken some day.
all your arguments here can be said about hashes too. RIPEMD160 and SHA256 are going to become obsolete some day as they will be broken but you can't say it is unsafe to use them just because some day they will be broken. after all that is how cryptography has always been working for literary thousands of years

Neither RIPEMD-160 nor SHA256 are subject to such attack. They are not analytical and only a brute force attack is feasible to be run by adversaries which is not practical and will not be practical in foreseeable future, hence, they are safe now.

It is not the case with ECDSA-256k1, both QC and conventional digital computers on the hardware side and algorithms on the software side are under development right now and it is feasible to have this scheme broken in near future, hence, it is not safe now.

Once you disclose the public key behind a utxo without spending it (and making it useless this way), you have given a large window of time (as long as you keep the utxo untouched) to the adversary equipped with enough resources and knowledge to break it unlike what happens with an ordinary transaction in which it is exposed to such an attack just for few minutes.

Still I think the line of reasoning you follow makes it pointless to denounces address re-use anyway, if you can't say re-using bitcoin addresses is not safe, why should you discourage such a practice? You think I can't call it "not safe" so it is safe according to you, isn't it? Or may be it is somehow, something between safe and unsafe a shady status in security measures probably, both safe and not safe or neither safe nor not safe. What is it after all?

[Jean_Luc]

Neither RIPEMD-160 nor SHA256 are subject to such attack. They are not analytical and only a brute force attack is feasible to be run by adversaries which is not practical and will not be practical in foreseeable future, hence, they are safe now.

Yes SHA256 and RIPEMD160 algorithms are safe today but even if they are not linked to large number arithmetic, there is not proof that they cannot be reversed or predicted in polynomial time and space. As for ECDSA, they is no proof that ECDLP cannot be solved. Today the security of ECDLP256 is ~128bit and 160bit for RIPEMD160. Both are not feasible today but the probability that someone find a way to solve ECDLP256 or to reverse hashing algorithms is not zero. It is not possible to predict which algorithm will be defeated first.
There is no objective reason to say that exposing ECDSA public key for a long time is less safe than exposing an address.