Is Bitcoin Signature Messages still safe in 2024?

[AzizLeBG]

Hi,

I'm currently in the transaction facilitation industry, and I was looking to fill an order of a buyer of mine. One of the prerequisites of the transaction is to ask for a Signature Message proving the other party owns their BTC Coins. Now, I have been surfing threw multiples forums of people arguing over this topic. Some say it is 100% safe, if you don't sign using the same K Nonce, do it offline or do it on exchanges, some say there are risks involved.  I find myself in between trying to have a clear idea of this known process in the BTC ecosystem, it's just a really niche feature not really used a lot nowadays. It can be done on Blockchain.com, Ledger, Electrum and Bitcoin Core and some other exchanges.

Any ideas, informations or arguments are appreciated.

Yours truely,

AzizLeBG

[Charles-Tim]

To prove that you are the owner of an address and which is funded with bitcoin. Yes you can sign a message with the bitcoin address and include the date that you signed it. It is safe.

It can be done on Blockchain.com, Ledger, Electrum and Bitcoin Core and some other exchanges.

When I was testing blockchain.com walle like a years ago, it can not be used to sign a message. Also you can not use an exchange account to sign a message. You need a noncustodial wallet for it which has seed phrase or private key. Only the person that has the private key of the address can sign a message with the address.

[Orpichukwu]

I'm currently in the transaction facilitation industry, and I was looking to fill an order of a buyer of mine. One of the prerequisites of the transaction is to ask for a Signature Message proving the other party owns their BTC Coins. Now, I have been surfing through multiples forums of people arguing over this topic. Some say it is 100% safe, if you don't sign using the same K Nonce, do it offline or do it on exchanges, some say there are risks involved.  I find myself in between trying to have a clear idea of this known process in the BTC ecosystem, it's just a really niche feature not really used a lot nowadays. It can be done on Blockchain.com, Ledger, Electrum and Bitcoin Core and some other exchanges.

Signing messages is completely safe as long as you are using a safe route. If you make use of an electrum, a Bitcoin core, or any other noncustodial wallet that you have total control over that has the option and is open source (other developers verifying the legitimacy of the wallet) it's safe. Just don't go and input your private key or phrase into any online places asking you for such information, all in the name of the person the person you want to sign the signature message.
 
Bitcoin core, electrum, and other wallets that you mentioned above are not the same thing as exchange. It's not possible for you to sign in a signature message using exchange because they don't give you a private key; you can only do that using your wallet's private key, as that shows that you are the true owner of the said wallet.

[hosseinimr93]

Some say it is 100% safe, if you don't sign using the same K Nonce, do it offline or do it on exchanges, some say there are risks involved.

No need to worry about the K value.
Wallets generate the k value deterministically and they never use the same K value for two transactions.

Also note that you can't sign message on exchanges. You can sign message on some non-custodial wallets.
I say "some noncustodial wallets", because not all of them support signing message. For example, blockchain.com is a non-custodial wallet, but it doesn't allow you to sign a message.

[pooya87]

Signing a message is pretty much like signing a transaction. The only difference is that the digest is computed by hashing the message string (after prepending a fixed value to the start of it) instead of the transaction. Hash algorithm and ECDSA and subsequently the ephemeral key (k) selection are all the same.

So if the software that is used for signing transactions (sending bitcoin) is secure, the result for message signing should be safe as well. Otherwise singing a transaction would also put you at risk of leaking your key.
And like always use popular open source software that is extensively reviewed and is bug free.