is it possible to extract private keys from a signed transaction file ELECTRUM

[abhilodha]

im trying to offline signing a transaction from electrum.
when i take signed transaction file from offline pc to online pc for broadcasting. lets say online pc is compromised is it possible to extract by anyone private keys form the signed transaction file.?

[hatshepsut93]

No. A signed transaction is what you broadcast and what gets included in blocks, not only your online PC knows about it, but the whole network too. Private key cannot be extracted from signature, if this was the case, public key cryptography would be useless.

There is a flaw in ECDSA where using the same k value in the process of signing more than once would allow attackers to extract the private keys from resulting signatures, and this happened with some wallets in the early days, but there's no such vulnerability in Electrum that anyone is aware of.

You should be a bit worried about some airgap-jumping malware, but even this threat is more theoretical, because I can't recall any reports about coins being stolen from cold storage setup in this way. I prefer to scan the QR code of signed transaction and broadcast it from my tablet instead of transferring it to the online PC with USB sticks.

[BlackHatCoiner]

First things first, move this to “electrum”.

It is not possible to extract private keys from a signed transaction. A signed transaction is consisted of some fields;

• The version of the transaction data structure.
• The input count.
• The inputs.
• The output count.
• The outputs.
• And a locktime.

An example of a signed (testnet) transaction looks like this:

0200000000010246424e9ea69f0f68e24923f620cdcb7265ba5d8b6d8d42cbbff3f97047bf0e120 000000000fdffffff4d7cf1e1b72fe276f2886f2676b8e72a8a5c5dbe042615b349461647ed4155 e90000000000fdffffff01066c1d000000000016001412752d46dffcef2ae3c917c303c84b63ae3 e083d02473044022046cf098e3e9ae1de57f0da0e8a77615bf0c317646aa45ad92bc65f85bffff5 f6022047fb56c7f5e9e432261b6b435888defccbe69f5dd23c8ddbda52e979f589a05701210216c 2975cad38bc2a409afa5dd4a990c464c4ac3beac05e0157f1c7e2653b7a100247304402202f09b7 3fa21c545e5ab77433b0aa9392debb365cdf7f88d7bf890231fec2b46002204b42115c384582bca 11f834c41b4bdf6baf8172ef18e662235ac00d26449debb012103cf5d183b63d97e8691e948fe47 0454e825ee34164923b957d17539a9398670621b9a1e00


As I said, there is no private key, the fact that you provided a valid signature is enough to prove the ownership of the inputs. The whole system relies on that signature and that you don't have to provide any private keys in your signed transactions.

So no, even if the online PC is compromised, it is not possible to extract any private keys, neither change the amount or the destination, because that would make the signature invalid.

[o_e_l_e_o]

There is a flaw in ECDSA where using the same k value in the process of signing more than once would allow attackers to extract the private keys from resulting signatures, and this happened with some wallets in the early days, but there's no such vulnerability in Electrum that anyone is aware of.

I wouldn't really call it a flaw, rather, it is a necessary implication of the math involved. If someone knows all the other variables in the equation (r and s which they can get from the signature, the message hash being signed which they can get from the transaction data, and the k value which we are assuming they know since it has been reused), then obviously they can calculate the one remaining variable (the associated private key, in this case).

Regardless, Electrum uses the RFC 6979 standard, which deterministically generates k values by using the output of the HMAC-SHA256 of the concatenation of the private key and the message, so there is no risk of the k value being reused across different transactions.

[nc50lc]

-snip- lets say online pc is compromised is it possible to extract by anyone private keys form the signed transaction file.?

This is fully answered but I would like to add an example why this wont happen.

That signed transaction file contains the same data stored in your blockchain mempool and can even be queried using a blockexplorer using an address, TXID, etc.
So if it's possible to extract the private key from the signature, most transactions in the blockchain mempool should've been stolen by now.

[NotATether]

For the record, it's not even possible to extract private keys from raw unsigned transactions because they are not contained in there. This is why it is possible for anybody to create a raw transaction that spends bitcoins from anybody's address, but as long as the user does not possess the private keys for those addresses, the user will not be able to sign the transaction and cannot broadcast (i.e. spend) it either.

So if it's possible to extract the private key from the signature, every unspent transaction in the blockchain should've been stolen by now.

This is a little misleading as those stolen transactions could be stolen again by other people, and then again and again, making the Bitcoin network worthless in the process. It's not a "central party steals all the bitcoins for themselves" kind of thing.

[nc50lc]

-snip-

So if it's possible to extract the private key from the signature, every unspent transaction in the blockchain should've been stolen by now.

This is a little misleading as those stolen transactions could be stolen again by other people, and then again and again, making the Bitcoin network worthless in the process. It's not a "central party steals all the bitcoins for themselves" kind of thing.

"In the blockchain", I should've said "In the mempool", it'll make more sense.

Thanks for the mention.
The unedited post badly explained why Bitcoin wont work if his query is possible, but still a huge threat.