Bitcoin Forum
December 13, 2024, 10:33:15 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Are Bitcoin Signature Messages still safe in 2024?  (Read 187 times)
AzizLeBG (OP)
Newbie
*
Offline Offline

Activity: 7
Merit: 0


View Profile
August 22, 2024, 08:54:47 PM
Last edit: August 23, 2024, 04:26:01 AM by AzizLeBG
 #1

Hi,

I'm currently in the transaction facilitation industry, and I was looking to fill an order of a buyer of mine. One of the prerequisites of the transaction is to ask for a Signature Message proving the other party owns their BTC Coins. Now, I have been surfing threw multiples forums of people arguing over this topic. Some say it is 100% safe, if you don't sign using the same K Nonce, do it offline or do it on exchanges, some say there are risks involved.  I find myself in between trying to have a clear idea of this known process in the BTC ecosystem, it's just a really niche feature not really used a lot nowadays. It can be done on Blockchain.com, Ledger, Electrum and Bitcoin Core and some other exchanges.

Any ideas, informations or arguments are appreciated.

Yours truely,

AzizLeBG
Charles-Tim
Legendary
*
Offline Offline

Activity: 1764
Merit: 5257


Leading Crypto Sports Betting & Casino Platform


View Profile
August 22, 2024, 08:59:20 PM
 #2

To prove that you are the owner of an address and which is funded with bitcoin. Yes you can sign a message with the bitcoin address and include the date that you signed it. It is safe.

It can be done on Blockchain.com, Ledger, Electrum and Bitcoin Core and some other exchanges.
When I was testing blockchain.com walle like a years ago, it can not be used to sign a message. Also you can not use an exchange account to sign a message. You need a noncustodial wallet for it which has seed phrase or private key. Only the person that has the private key of the address can sign a message with the address.

..Stake.com..   ▄████████████████████████████████████▄
   ██ ▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄ ██  ▄████▄
   ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██  ██████
   ██ ██████████ ██      ██ ██████████ ██   ▀██▀
   ██ ██      ██ ██████  ██ ██      ██ ██    ██
   ██ ██████  ██ █████  ███ ██████  ██ ████▄ ██
   ██ █████  ███ ████  ████ █████  ███ ████████
   ██ ████  ████ ██████████ ████  ████ ████▀
   ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██
   ██            ▀▀▀▀▀▀▀▀▀▀            ██ 
   ▀█████████▀ ▄████████████▄ ▀█████████▀
  ▄▄▄▄▄▄▄▄▄▄▄▄███  ██  ██  ███▄▄▄▄▄▄▄▄▄▄▄▄
 ██████████████████████████████████████████
▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█  ▄▀▄             █▀▀█▀▄▄
█  █▀█             █  ▐  ▐▌
█       ▄██▄       █  ▌  █
█     ▄██████▄     █  ▌ ▐▌
█    ██████████    █ ▐  █
█   ▐██████████▌   █ ▐ ▐▌
█    ▀▀██████▀▀    █ ▌ █
█     ▄▄▄██▄▄▄     █ ▌▐▌
█                  █▐ █
█                  █▐▐▌
█                  █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█
▄▄█████████▄▄
▄██▀▀▀▀█████▀▀▀▀██▄
▄█▀       ▐█▌       ▀█▄
██         ▐█▌         ██
████▄     ▄█████▄     ▄████
████████▄███████████▄████████
███▀    █████████████    ▀███
██       ███████████       ██
▀█▄       █████████       ▄█▀
▀█▄    ▄██▀▀▀▀▀▀▀██▄  ▄▄▄█▀
▀███████         ███████▀
▀█████▄       ▄█████▀
▀▀▀███▄▄▄███▀▀▀
..PLAY NOW..
Orpichukwu
Sr. Member
****
Online Online

Activity: 700
Merit: 406



View Profile
August 22, 2024, 09:08:28 PM
 #3

I'm currently in the transaction facilitation industry, and I was looking to fill an order of a buyer of mine. One of the prerequisites of the transaction is to ask for a Signature Message proving the other party owns their BTC Coins. Now, I have been surfing through multiples forums of people arguing over this topic. Some say it is 100% safe, if you don't sign using the same K Nonce, do it offline or do it on exchanges, some say there are risks involved.  I find myself in between trying to have a clear idea of this known process in the BTC ecosystem, it's just a really niche feature not really used a lot nowadays. It can be done on Blockchain.com, Ledger, Electrum and Bitcoin Core and some other exchanges.
Signing messages is completely safe as long as you are using a safe route. If you make use of an electrum, a Bitcoin core, or any other noncustodial wallet that you have total control over that has the option and is open source (other developers verifying the legitimacy of the wallet) it's safe. Just don't go and input your private key or phrase into any online places asking you for such information, all in the name of the person the person you want to sign the signature message.
 
Bitcoin core, electrum, and other wallets that you mentioned above are not the same thing as exchange. It's not possible for you to sign in a signature message using exchange because they don't give you a private key; you can only do that using your wallet's private key, as that shows that you are the true owner of the said wallet.

.
Duelbits
▄▄█▄▄░░▄▄█▄▄░░▄▄█▄▄
███░░░░███░░░░███
░░░░░░░░░░░░░
░░░░░░░░░░░░
▀██████████
░░░░░███░░░░
░░░░░███▄█░░░
░░██▌░░███░▀░░██▌
█░██░░███░░░██
█▀▀▀█▌░███░░█▀▀▀█▌
▄█▄░░░██▄███▄█▄░░▄██▄
▄███▄
░░░░▀██▄▀
.
REGIONAL
SPONSOR
███▀██▀███▀█▀▀▀▀██▀▀▀██
██░▀░██░█░███░▀██░███▄█
█▄███▄██▄████▄████▄▄▄██
██▀ ▀███▀▀░▀██▀▀▀██████
███▄███░▄▀██████▀█▀█▀▀█
████▀▀██▄▀█████▄█▀███▄█
███▄▄▄████████▄█▄▀█████
███▀▀▀████████████▄▀███
███▄░▄█▀▀▀██████▀▀▀▄███
███████▄██▄▌████▀▀█████
▀██▄█████▄█▄▄▄██▄████▀
▀▀██████████▄▄███▀▀
▀▀▀▀█▀▀▀▀
.
EUROPEAN
BETTING
PARTNER
hosseinimr93
Legendary
*
Offline Offline

Activity: 2618
Merit: 5741



View Profile
August 22, 2024, 09:15:02 PM
 #4

Some say it is 100% safe, if you don't sign using the same K Nonce, do it offline or do it on exchanges, some say there are risks involved.
No need to worry about the K value.
Wallets generate the k value deterministically and they never use the same K value for two transactions.

Also note that you can't sign message on exchanges. You can sign message on some non-custodial wallets.
I say "some noncustodial wallets", because not all of them support signing message. For example, blockchain.com is a non-custodial wallet, but it doesn't allow you to sign a message.

▄▄███████▄▄
▄██████████████▄
▄██████████████████▄
▄████▀▀▀▀███▀▀▀▀█████▄
▄█████████████▄█▀████▄
███████████▄███████████
██████████▄█▀███████████
██████████▀████████████
▀█████▄█▀█████████████▀
▀████▄▄▄▄███▄▄▄▄████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀
.
 MΞTAWIN  THE FIRST WEB3 CASINO   
.
.. PLAY NOW ..
pooya87
Legendary
*
Offline Offline

Activity: 3668
Merit: 11107


Crypto Swap Exchange


View Profile
August 23, 2024, 02:16:32 AM
Merited by hosseinimr93 (2)
 #5

Signing a message is pretty much like signing a transaction. The only difference is that the digest is computed by hashing the message string (after prepending a fixed value to the start of it) instead of the transaction. Hash algorithm and ECDSA and subsequently the ephemeral key (k) selection are all the same.

So if the software that is used for signing transactions (sending bitcoin) is secure, the result for message signing should be safe as well. Otherwise singing a transaction would also put you at risk of leaking your key.
And like always use popular open source software that is extensively reviewed and is bug free.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
AzizLeBG (OP)
Newbie
*
Offline Offline

Activity: 7
Merit: 0


View Profile
August 23, 2024, 02:37:07 AM
 #6

Signing a message is pretty much like signing a transaction. The only difference is that the digest is computed by hashing the message string (after prepending a fixed value to the start of it) instead of the transaction. Hash algorithm and ECDSA and subsequently the ephemeral key (k) selection are all the same.

So if the software that is used for signing transactions (sending bitcoin) is secure, the result for message signing should be safe as well. Otherwise singing a transaction would also put you at risk of leaking your key.
And like always use popular open source software that is extensively reviewed and is bug free.

So Electrum is my best option in this case? It has a built in feature and is a pretty old and known wallet. Also, as always in a safe environment.
ranochigo
Legendary
*
Offline Offline

Activity: 3052
Merit: 4443


Crypto Swap Exchange


View Profile
August 23, 2024, 02:50:22 AM
Merited by pooya87 (2), hosseinimr93 (2), ABCbits (1)
 #7

So Electrum is my best option in this case? It has a built in feature and is a pretty old and known wallet. Also, as always in a safe environment.
Electrum or Bitcoin Core are probably two of the most well known and developed wallet. If you're sure that you can operate your wallet in an environment that is safe and secure, there shouldn't be any problems whatsoever that concerns security.

Your idea for signing message should primarily be proving the ownership of the address. Signing a message will prove that they are in ownership of the address and whatever amount of Bitcoins associated with that address at that point in time. You should be clear about the message and the context, specifically taking note of the purpose and the timestamp within the signed message.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
AzizLeBG (OP)
Newbie
*
Offline Offline

Activity: 7
Merit: 0


View Profile
August 23, 2024, 03:19:05 AM
 #8

So Electrum is my best option in this case? It has a built in feature and is a pretty old and known wallet. Also, as always in a safe environment.
Electrum or Bitcoin Core are probably two of the most well known and developed wallet. If you're sure that you can operate your wallet in an environment that is safe and secure, there shouldn't be any problems whatsoever that concerns security.

Your idea for signing message should primarily be proving the ownership of the address. Signing a message will prove that they are in ownership of the address and whatever amount of Bitcoins associated with that address at that point in time. You should be clear about the message and the context, specifically taking note of the purpose and the timestamp within the signed message.

I appreciate your thoughts, What should be an ideal message example? Something like this maybe? Do take into consideration that I'm the one to request it and verify it. Nobody else involded.
 
Message: "Bitcoin Signature for Proof of funds "
Signature: H5g/Jc...<...>...P6Ty5=
Timestamp: 2024-08-22 15:00:00

As for the verification part, since I'm acting as third party verification, Verifying should not be of any trouble as well? Still doable on Electrum. In this part, I would need an address, a signature and the exact message. The valid signature pop up should clear any concerns regarding ownership?


ranochigo
Legendary
*
Offline Offline

Activity: 3052
Merit: 4443


Crypto Swap Exchange


View Profile
August 23, 2024, 03:23:49 AM
Merited by pooya87 (2), ABCbits (2)
 #9

I appreciate your thoughts, What should be an ideal message example? Something like this maybe? Do take into consideration that I'm the one to request it and verify it. Nobody else involded.
 
Message: "Bitcoin Signature for Proof of funds "
Signature: H5g/Jc...<...>...P6Ty5=
Timestamp: 2024-08-22 15:00:00
Not exactly sure what's the intent and the purpose of your message and I'd go with what I would request to be signed typically. The message would typically be:

"This Bitcoin Message is signed on 2024-08-22 at 1500 Hours UTC+1. This message proves that I, AzizLeBG is in control of the funds and the address as of this time to facilitate the transaction between XX and XX on 2024-08-23."

You should be clear on the purpose of the message, and the timestamp to ensure that no one else would be able to reuse your signed message for other purposes. Bitcoin Signature for Proof of Funds is way too generic and can easily be reused.
As for the verification part, since I'm acting as third party verification, Verifying should not be of any trouble as well? Still doable on Electrum. In this part, I would need an address, a signature and the exact message. The valid signature pop up should clear any concerns regarding ownership.
No, but you should understand that having a signed message doesn't necessarily mean that they would send you the funds in the future. ie. I can borrow 2BTC from someone else, sign the message and send them back. This doesn't guarantee that they would commit to the transaction.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
nc50lc
Legendary
*
Offline Offline

Activity: 2632
Merit: 6512


Self-proclaimed Genius


View Profile
August 23, 2024, 03:38:45 AM
 #10

So Electrum is my best option in this case? It has a built in feature and is a pretty old and known wallet. Also, as always in a safe environment.
Electrum would be your best option because it has its famous implementation of message signing with SegWit addresses that's compatible with other clients
whilst other famous clients like Bitcoin Core still haven't set a standard aside from legacy address.
It will fail to sign and verify message signed with P2SH or native SegWit.

There are other similar clients to Electrum like Sparrow but those aren't as old as Electrum if being old is a criteria.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
AzizLeBG (OP)
Newbie
*
Offline Offline

Activity: 7
Merit: 0


View Profile
August 23, 2024, 03:39:49 AM
 #11

Not exactly sure what's the intent and the purpose of your message and I'd go with what I would request to be signed typically. The message would typically be:

"This Bitcoin Message is signed on 2024-08-22 at 1500 Hours UTC+1. This message proves that I, AzizLeBG is in control of the funds and the address as of this time to facilitate the transaction between XX and XX on 2024-08-23."

You should be clear on the purpose of the message, and the timestamp to ensure that no one else would be able to reuse your signed message for other purposes. Bitcoin Signature for Proof of Funds is way too generic and can easily be reused.
As for the verification part, since I'm acting as third party verification, Verifying should not be of any trouble as well? Still doable on Electrum. In this part, I would need an address, a signature and the exact message. The valid signature pop up should clear any concerns regarding ownership.
No, but you should understand that having a signed message doesn't necessarily mean that they would send you the funds in the future. ie. I can borrow 2BTC from someone else, sign the message and send them back. This doesn't guarantee that they would commit to the transaction.
[/quote]

Perfect, thank you all! I learned a lot. This sure is the higher leagues! But yea, Commitment can never be guaranteed.
hd49728
Legendary
*
Offline Offline

Activity: 2310
Merit: 1139



View Profile
August 23, 2024, 04:11:05 AM
 #12

So Electrum is my best option in this case? It has a built in feature and is a pretty old and known wallet. Also, as always in a safe environment.
Electrum and Bitcoin Core are good wallets, non custodial, open source and there are other wallet softwares that are good too.

If you are unsure, you can check wallets with
https://walletscrutiny.com/ check whether a wallet is open source (reproducible or not).
https://bitcoin.org/en/choose-your-wallet choose wallets for your needs.

Any wallet software you want to download and use, verify what you download.

[Guide] Verify and download Electrum wallet
The paranoid user's security guide for using Electrum safely.

Bitcoin Core wallet has guides to verify your download too.

If you want a safe environment, try to use Linux, not Windows.

▄▄███████████████████▄▄
▄███████████████████████▄
████████▀░░░░░░░▀████████
███████░░░░░░░░░░░███████
███████░░░░░░░░░░░███████
██████▀░░░░░░░░░░░▀██████
██████▄░░░░░▄███▄░▄██████
██████████▀▀█████████████
████▀▄██▀░░░░▀▀▀░▀██▄▀███
███░░▀░░░░░░░░░░░░░▀░░███
████▄▄░░░░▄███▄░░░░▄▄████
▀███████████████████████▀
▀▀███████████████████▀▀
 
 CHIPS.GG 
▄▄███████▄▄
▄████▀▀▀▀▀▀▀████▄
███▀░▄░▀▀▀▀▀░▄░▀███
▄███
░▄▀░░░░░░░░░▀▄░███▄
▄███░▄░░░▄█████▄░░░▄░███▄
███░▄▀░░░███████░░░▀▄░███
███░█░░░▀▀▀▀▀░░░▀░░░█░███
███░▀▄░▄▀░▄██▄▄░▀▄░▄▀░██
▀███
░▀░▀▄██▀░▀██▄▀░▀░██▀
▀███
░▀▄░░░░░░░░░▄▀░██▀
▀███▄
░▀░▄▄▄▄▄░▀░▄███▀
▀█
███▄▄▄▄▄▄▄████▀
█████████████████████████
▄▄███████▄▄
███
████████████▄
▄█▀▀▀▄
█████████▄▀▀▀█▄
▄██████▀▄▄▄▄▄▀██████▄
▄█████████████▄████████▄
████████▄███████▄████████
█████▄█████████▄██████
██▄▄▀▀▀▀█████▀▀▀▀▄▄██
▀█████████▀▀███████████▀
▀███████████████████▀
██████████████████
▀████▄███▄▄
████▀
████████████████████████
3000+
UNIQUE
GAMES
|
12+
CURRENCIES
ACCEPTED
|
VIP
REWARD
PROGRAM
 
 
  Play Now  
odolvlobo
Legendary
*
Offline Offline

Activity: 4522
Merit: 3426



View Profile
August 23, 2024, 04:59:16 AM
Merited by ABCbits (1)
 #13

Not exactly sure what's the intent and the purpose of your message and I'd go with what I would request to be signed typically. The message would typically be:

"This Bitcoin Message is signed on 2024-08-22 at 1500 Hours UTC+1. This message proves that I, AzizLeBG is in control of the funds and the address as of this time to facilitate the transaction between XX and XX on 2024-08-23."

In other words, the message should be very specific so that it can't be used for some other purpose or by someone else. If you are asking someone to provide a signed message, it is a good practice to require them to include specific text provided by you that is unique to the current transaction. That prevents the signer from reusing a signature. The signer should be allowed to include text of their choice for the same reason.

Also, it is a common mistake to believe that a signature proves that a statement is true or accurate. Anyone can sign a statement claiming to be Satoshi with the date 2009-01-03.

Join an anti-signature campaign: Click ignore on the members of signature campaigns.
PGP Fingerprint: 6B6BC26599EC24EF7E29A405EAF050539D0B2925 Signing address: 13GAVJo8YaAuenj6keiEykwxWUZ7jMoSLt
LoyceV
Legendary
*
Offline Offline

Activity: 3528
Merit: 17821


Thick-Skinned Gang Leader and Golden Feather 2021


View Profile WWW
August 23, 2024, 06:21:01 AM
 #14

I'm currently in the transaction facilitation industry
Well, based on your posts: you shouldn't be. You'll either get scammed, or you'll scam someone else.

Quote
I was looking to fill an order of a buyer of mine.
Who is this "buyer" who trusts someone who uses chatbot diarrhoea to pretend he knows what he's talking about?

Quote
I have been surfing threw multiples forums of people arguing over this topic.
Which forums? Please share the links!

Quote
do it on exchanges
~
It can be done on ~ some other exchanges.
You have no idea what you're talking about. Normally, that's okay when asking questions on the tech board, but in this case, I think you're the wrong guy for the job. If there is such a thing.



One of the prerequisites of the transaction is to ask for a Signature Message proving the other party owns their BTC Coins.
So Electrum is my best option in this case?
Are you the one signing or verifying the message?

▄▄███████████████████▄▄
▄█████████▀█████████████▄
███████████▄▐▀▄██████████
███████▀▀███████▀▀███████
██████▀███▄▄████████████
█████████▐█████████▐█████
█████████▐█████████▐█████
██████████▀███▀███▄██████
████████████████▄▄███████
███████████▄▄▄███████████
█████████████████████████
▀█████▄▄████████████████▀
▀▀███████████████████▀▀
Peach
BTC bitcoin
Buy and Sell
Bitcoin P2P
.
.
▄▄███████▄▄
▄████████
██████▄
▄██
█████████████████▄
▄███████
██████████████▄
███████████████████████
█████████████████████████
████████████████████████
█████████████████████████
▀███████████████████████▀
▀█████████████████████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀

▀▀▀▀███▀▀▀▀
EUROPE | AFRICA
LATIN AMERICA
▄▀▀▀











▀▄▄▄


███████▄█
███████▀
██▄▄▄▄▄░▄▄▄▄▄
████████████▀
▐███████████▌
▐███████████▌
████████████▄
██████████████
███▀███▀▀███▀
.
Download on the
App Store
▀▀▀▄











▄▄▄▀
▄▀▀▀











▀▄▄▄


▄██▄
██████▄
█████████▄
████████████▄
███████████████
████████████▀
█████████▀
██████▀
▀██▀
.
GET IT ON
Google Play
▀▀▀▄











▄▄▄▀
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!