The smallest valid signature

Bitcoin Forum

May 05, 2024, 09:57:32 PM

Welcome, Guest. Please login or register.

News: Latest Bitcoin Core release: 27.0 [Torrent]

Home

Help

Bitcoin Forum > Bitcoin > Development & Technical Discussion > The smallest valid signature

Pages: [1]

« previous topic next topic »

Author

Topic: The smallest valid signature (Read 123 times)

vjudeu (OP)

Hero Member

Offline

Activity: 678
Merit: 1560

The smallest valid signature

November 29, 2021, 02:08:52 PM

Merited by BlackHatCoiner (1)

Because of a bug in SIGHASH_SINGLE, it is possible to precompute a signature for some unknown key, where:

z=0100000000000000000000000000000000000000000000000000000000000000
r=0000000000000000000000000000000000000000000000000000000000000001
s=0000000000000000000000000000000000000000000000000000000000000001

For those three values, it is possible to find some public key:

Q=032baf163f5e27261ab3228e61fb86dc98054abd514751fce93d7444e8fbc6a293

Then, our scriptSig is equal to 09300602010102010103. That's the smallest signature I can think of, because r=1 and s=1, so our scriptSig has only 10 bytes! This signature is valid and was confirmed in testnet transaction 3952b35bde53eb3f4871824f0b6b8c5ad25ca84ce83f04eb1c1d69b83ad6e448. The private key for such public key is unknown, but the signature is valid for SIGHASH_SINGLE. Is it possible to do the same for SIGHASH_ALL if we assume that setting any z-value is possible and that we can change our public key to any value?

█▀▀▀
█
█
█
█
█
█
█
█
█
█
█
█▄▄▄

▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄

▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄

▀▀▀█
█
█
█
█
█
█
█
█
█
█
█
▄▄▄█

▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
░▀▀██▀▀

1714946252

Hero Member

Offline

Posts: 1714946252

Ignore

1714946252

1714946252


	Report to moderator

1714946252

Hero Member

Offline

Posts: 1714946252

Ignore

1714946252


	Report to moderator

1714946252

Hero Member

Offline

Posts: 1714946252

Ignore

1714946252


	Report to moderator

"With e-currency based on cryptographic proof, without the need to trust a third party middleman, money can be secure and transactions effortless." -- Satoshi

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.

1714946252

Hero Member

Offline

Posts: 1714946252

Ignore

1714946252


	Report to moderator

garlonicon

Hero Member

Offline

Activity: 803
Merit: 1932

Re: The smallest valid signature

November 29, 2021, 06:24:46 PM

Merited by BlackHatCoiner (4)

Quote

Is it possible to do the same for SIGHASH_ALL if we assume that setting any z-value is possible and that we can change our public key to any value?

It depends. If you have to sign your public key (or a hash of that key, or some previous transaction output where you have to know that key) then no. But if you can use any public key, then it is possible. I can imagine some weird script with constant signature and variable public key, something like "OP_OVER 300602010102010101 OP_EQUALVERIFY OP_CHECKSIG", then you can make a transaction, get your z-value and put your matching public key in such script.

Also note you can do such things in Bitcoin Message:

Code:

message="Hello World"
address="1psPJZYEJrjPtY6kw5Tqtj4mW2yXSSDuH"
signature="GwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE="

Here you have r=1 and s=1 in a signature for some arbitrary message. Of course both k and d are unknown, but it does not matter if you can use any public key.

Pages: [1]

Bitcoin Forum > Bitcoin > Development & Technical Discussion > The smallest valid signature

« previous topic next topic »

Jump to: