Core and spam debate - easy explanation

[DaveF]

Because they don't indend to send bitcoin, they only intend to post data on chain and abuse the 90,000 nodes into hosting their crap spam data for the rest of eternity.

And how do you want to know, if a given P2PK is spendable or not? Yet another example: https://mempool.space/testnet4/address/0214368623b6bab515c1f9218381e37ff7ae8dac54132bc7f2072dc55fa55db6c7

Here, you have just a regular P2PK, which is a fake public key, where only Satoshi could know the private key to that (because his public key is used as R-value).

Which means, that if you try to block "OP_SWAP OP_CHECKSIG", then similar things can be done with just regular P2PKs. What then?

You are clearly clueless. You still think you can use a fake private key to sign a message.

Guy,

Where did he ever mention signing a message?

Oh, wait he did not. He just pointed out that what you want to do will not work and even with your censoring luke coin you can still put just about anything in the blockchain you want.

I'm starting to think you are really just a nocoiner troll since no matter what when someone proves "A" you come back and respond "B"

-Dave

[PepeLapiu]

Because they don't indend to send bitcoin, they only intend to post data on chain and abuse the 90,000 nodes into hosting their crap spam data for the rest of eternity.

And how do you want to know, if a given P2PK is spendable or not? Yet another example: https://mempool.space/testnet4/address/0214368623b6bab515c1f9218381e37ff7ae8dac54132bc7f2072dc55fa55db6c7

Here, you have just a regular P2PK, which is a fake public key, where only Satoshi could know the private key to that (because his public key is used as R-value).

Which means, that if you try to block "OP_SWAP OP_CHECKSIG", then similar things can be done with just regular P2PKs. What then?

You are clearly clueless. You still think you can use a fake private key to sign a message.

Guy,

Where did he ever mention signing a message?

I don't remember where exactly ertil tried to explain how you can sign a message to a fake pubkey. Which is impossible. He claimed you can use a fake private key, or something to that effect.

[ertil]

how you can sign a message to a fake pubkey. Which is impossible.

So, why my examples are confirmed in transactions?

In general, you assume, that knowing the private key is required in all cases. It is not. And by analyzing these examples, you can see, why.

In case of public key recovery, all computations are based on public keys. And because of that, you can use any public key you want, as your starting point, and then compute some fake public key out of it. And then, you don't have to care about this fake public key alone, because you can just push all data inside the signature, and then the public key can be set to whatever makes all of that valid.

Which also means, that if you force users to provide a single signature, then spammers won't have to start from some private key, and make it classically. They could start from any public key instead, and prepare something, which will pass your verification, while being unspendable later, in a different context.

[PepeLapiu]

how you can sign a message to a fake pubkey. Which is impossible.

So, why my examples are confirmed in transactions?

In general, you assume, that knowing the private key is required in all cases. It is not. And by analyzing these examples, you can see, why.

That is not what I said. I said that if you can sign a message to a pubkey, that pubkey is prouvably spendable and not a fake pubkey. And you went on to pretend some stupid scheme about signing a message to a fake pubkey.

If you can sign a message to a pubkey, that pubkey can not be fake as you have proven you have the matching private key.

But you went on to try to explain you can sign a message to a fake pubkey. That is bullshit, you can't, or it would not be a fake pubkey.

[DaveF]

.... You are an idiot, or you think I'm an idiot.

No, we all *know* you are an idiot nocoiner cult member.
You keep changing the rules of what you want people to answer.

None of the filters that luke censorcoin have out there will even slow down *what you think is* spam for more then a couple of hours perhaps a day or two.
Then it's all back to the same level.

There are several ways people posted already on how it's not going to work with proven examples.

And you are going to wind up causing issues for legitimate users when the .


You then use the argument that poor people in 3rd word countries can't run nodes. But in truth, for the most part they don't want to nor should they.
That is why lightweight SPV wallets exits. See the whitepaper section 8. Yes if you are running a business then run your own node(s) for people spending BTC on a day to day basis. It's not practical. You need reliable power (can't have the PC loosing power could take hours to rebuild / rescan the blockchain). You need reliable internet. And if you don't have money for even a 10+ year old donated PC to run BTC you are probably more interested in getting food on the table then crypto.

Putting all that aside. You even have good decent somewhat new hardware taking a shit now and then. [Dave raises hand, yup that happens]
https://bitcointalk.org/index.php?topic=5364113.msg66525215#msg66525215
For a tech person with resources it's not a big deal, for one of these alleged people in a poor country it's a disaster.
But, if they were using a SPV wallet they don't even care they just connect to another node.

-Dave

[CoreRulezKnotsAreFulez]

Pepe is just so upset because his momma so fat that her picture can't fit in the blockchain.

Hey Pepe, you say you are in El Salvador. But your links to places where you trade are still showing Canada. So where are you? Are you lying about where you are. Perhaps you should update that.

Your phone & contact also show Canada and linked to . You know that if you are no longer living in Canada you should get rid of that Telus number and get a local one.

Don't worry, I will take care of letting all those places know this week that you are not where you say you are.

[Dogedegen]

Did I get this right ertil at least the general points?

Yes, it was done many times before.

I don't think that many people that are currently posting in this forum have seen this at all. I didn't either, you are the first person who demonstrated it to me.

Maybe you can tell us more about the forging part and methods because I find that the hardest to understand from this.

If you understand how secp256k1 works, then it is quite easy thing to do.

Unfortunately, I think aside from a few users like you most of us do not have enough understanding of such concepts.

Code:

message="It is hard to stop fake public keys, because of pubkey recovery."
hex=4974206973206861726420746f2073746f702066616b65207075626c6963206b6579732c2062656361757365206f66207075626b6579207265636f766572792e
r=hex1=4974206973206861726420746f2073746f702066616b65207075626c6963206b
s=hex2=6579732c2062656361757365206f66207075626b6579207265636f766572792e
R=024974206973206861726420746F2073746F702066616B65207075626C6963206B
der_signature=304402204974206973206861726420746f2073746f702066616b65207075626c6963206b02206579732c2062656361757365206f66207075626b6579207265636f766572792e01

I guess this part is easy to understand: you have some data, so you can make a valid signature out of it. As you can see, it is all about putting your ASCII data as r-value, and s-value.

And then comes the transaction: https://mempool.space/signet/tx/7cf7a21e3e2b6e7381bf6438e1a76b3c239f896e48ba8500c83f187a4c42598c

Yes that is the main problem to understand. Public key recovery as a concept is quite easy, but how one can make a valid signature without a private key is the issue. I think a less technical explanation would do better for most users here. You just go ahead here and say you have some data? But where do you get that data? How do you make a valid signature from this data? I mean it is clear that it is possible, we can verify here that it is possible and generally most can nod and understand yeah you make a valid signature but the details is where it gets difficult.

You are clearly clueless. You still think you can use a fake private key to sign a message.

There is no private key involved here. Are you reading all the replies that are given to you?

None of the filters that luke censorcoin have out there will even slow down *what you think is* spam for more then a couple of hours perhaps a day or two.
Then it's all back to the same level.

There are several ways people posted already on how it's not going to work with proven examples.

And you are going to wind up causing issues for legitimate users when the .

It is interesting to see how people behave with these things. If we assume that he is not a paid agent, then one must be deeply delusional about certain aspects of life that they would spill into this topic to. Maybe it relates to the difficulties of accepting that many things in life we personally can't solve or that they can't be solved at all. It is not like the Core side or users in general do not want a solution to this, there is no reason to assign malice or anything when considering this topic as a normal user even if he is dissatisfied with the situation. What is obvious to conclude is that any proposed solutions so far would make everything much worse, and that we are already have the best half solution or maybe we can call it pseudo solution like we do with pseudo anonymity and that is with OP_RETURN.

[DaveF]

....
It is interesting to see how people behave with these things. If we assume that he is not a paid agent, then one must be deeply delusional about certain aspects of life that they would spill into this topic to. Maybe it relates to the difficulties of accepting that many things in life we personally can't solve or that they can't be solved at all. It is not like the Core side or users in general do not want a solution to this, there is no reason to assign malice or anything when considering this topic as a normal user even if he is dissatisfied with the situation. What is obvious to conclude is that any proposed solutions so far would make everything much worse, and that we are already have the best half solution or maybe we can call it pseudo solution like we do with pseudo anonymity and that is with OP_RETURN.

Why can't it be all things?

He could be a paid agent while still believing every thing he posts while at the same time not being able to or caring to understand that what he is posting will at best not work and at worst make things a lot worse.

None of these things exclude the other ones.

Pepe is just so upset because his momma so fat that her picture can't fit in the blockchain.
....

Your momma so fat her cereal bowl is so big it has the warning "Danger, no life guard on duty"

Seriously, we don't need to go to attacks like this. Could be fun to have a dedicated thread in one of the off topic boards. But not here.

-Dave

[PepeLapiu]

No, we all *know* you are an idiot nocoiner cult member.

You got me there. I get by on my looks alone.

None of the filters that luke censorcoin have out there will even slow down *what you think is* spam for more then a couple of hours perhaps a day or two.
Then it's all back to the same level.

Well, if you don't even acknowledge that there is spam, than you don't think there is a spam problem, and I'm wasting my time discussing it with you.

You hold this view that fighting against spam is a futile endeavor and that spammers are smarter than all of us. This is false. The fact is that if we get more permissive to spam, more spam will be the result. And if we get more hostile to spam, less spam will be the result.

Vitalik Buterin famously said "I did not want to build on a base protocol whose dev team would be at war with me."

Clearly, he understood that building his "use cases" on a platform that would be hostile to his "use cases" would not be productive.

You keep picturing the fight against spam as a futile game of cat and mouse, or game of whack-a-mole.

But you conveniently ommit to explain what happens if you remove all the cats from the barn, and if you stop whacking the mole. While mice will always find a way into the barn, you fail to recognize that barns with cats have fewer mice than barns without cats.

There are several ways people posted already on how it's not going to work with proven examples.

None of them are reflective of real world examples. I'll tell you what. While child porn is illegal most everywhere, gay porn is legal most everywhere, albeit still repulsive and objectionable to most everyone.

So I dare you to try and post an actual gay porn .jpeg or gay porn .tiff by using the same methods as those who did the crying Luke .tiff

You are soon going to find out it's not as easy as you think. Unless you use the op_if in Taproot exploit ignored by core, or the op_return exploit created by core 30.

And you are going to wind up causing issues for legitimate users when the .

You hold the ridiculous view that fighting spam is somehow completely innefective at stopping spam, but also absolutely effective at preventing legitimate users.

Luckily, BIP110 is a temporary measure, it lasts only a year. So if we see that there is no reduction of spam, and if we see that genuine bitcoiners are getting problems, we can resume as normal, or change BIP110, or find better methods of fighting spam.

This is a far better approach and far more sensible than the Taproot upgrade with it's "speedy trial" bulkshit that solved nothing and failed to fix any problems that showed up later on.

You then use the argument that poor people in 3rd word countries can't run nodes. But in truth, for the most part they don't want to nor should they.

That is not my argument at all. The majority of the world population make less than $2 per day. It would not be reasonable to ask them to run a node.
But the more difficult you make it to run a node, the fewer people will be incintivized to run a node.

If we raise the bar from 1TB drive and 8GB memory to 2TB drive and 16GB memory, far fewer people will be able to run a node. And if you fill the chain with spam, and potentially illicit files, even fewer people will be able or willing to run a node.

For a tech person with resources it's not a big deal, for one of these alleged people in a poor country it's a disaster.

If only "a tech person with resources" is able to run a node, bitcoin will lose it's decentralized property. Now, you are a shitcoiner, you don't even have a definition of spam other than "transactions knotzies don't like". So I'm not expecting you to understand this.

Spammers will no longer be tolerated. And while neither Knots filters nor BIP110 nor The Cat can elliminate all spam, they all signal to spammers that we will no longer tolerate them and act with extreme prejudice against spam.

[ertil]

but how one can make a valid signature without a private key is the issue

This part is the easiest one. You just put your data into the signature. See:

Code:

der_signature=304402204974206973206861726420746f2073746f702066616b65207075626c6963206b02206579732c2062656361757365206f66207075626b6579207265636f766572792e01
30440220                                                         //der encoding
4974206973206861726420746f2073746f702066616b65207075626c6963206b //r-value, equal to "It is hard to stop fake public k"
0220                                                             //der encoding
6579732c2062656361757365206f66207075626b6579207265636f766572792e //s-value, equal to "eys, because of pubkey recovery."
01                                                               //sighashes

To do that, you don't need any private keys. You just put your data in the signature, as they are, and that's it.

And later, it is all about finding a matching public key, which will make all of that valid.

Which means, that you will almost always have "30440220", then any data, then "0220", then again any data, and then "01". For r-values, you have around 0x7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0 possible values, which will pass verification, and similarly for s-values, so it is more likely than not, that if you pick any ASCII string, then it will be valid. And if not, then you have around 50% chance of hitting it, so after trying few times, you will almost always find some match.

So, if you have around 64 bytes of arbitrary data, then you just encode it into the signature, and then you can feed any public key recovery algorithm with that.

Edit:

If you can sign a message to a pubkey, that pubkey can not be fake as you have proven you have the marching private key.

It is fake, because nobody knows the private key. Because no private key was used, to make it.

This is why public key recovery works: you don't need private keys to verify a signature. So you also don't need them to make it, as long as you can pick any key, and make it valid.

Private keys are needed, if you start from public key, and make a signature. But if you start from a signature, and make a public key out of it, then you don't need any private keys.

[Dogedegen]

He could be a paid agent while still believing every thing he posts while at the same time not being able to or caring to understand that what he is posting will at best not work and at worst make things a lot worse.

You are right, it could be both and I missed mentioning that case. I've seen some older members fooled by luke's lies, but I find it surprising that anyone reasonable could support him after watching him talk in a live debate. He mostly dodges the main aspects of the topics and just attacks others.

It’s easy to get caught up in the paid agent vs. true believer labels, but reality is usually a lot messier than that. Most people are just doing what they think is right, even if they’re misguided or incentivized in ways they don't fully see.
It’s also refreshing to see you call out the yo momma jokes. This debate is already technical and stressful enough without the personal attacks. We’re all trying to figure out how to keep this network running maybe we can focus more on the pseudo-solutions you mentioned and less on the insults. Thanks for keeping it civil.

You have a point but only to some extent. It is not good to treat people who are new this way, but what about people who continue to cause disruption and insist on their delusions even when receiving nice explanations and plenty of time from other members? How long should we entertain the people who believe that the world is flat? There are aspects to this debate that can be subjective to some degree we can agree to that, let's say to what extent is OP_RETURN the best solution for the problem? Other things are not, they are objectively clear. One example would be that some proposals are terrible and would lead to freezing existing UTXOs of people that didn't do anything wrong. Another would be what is discussed here, fake public keys are a thing and they can't be blocked in any way. If we indulge people too much, they are taking away valuable time from people.

Imagine if each Core developer spent some time daily answering to people like this? The software would not get anywhere at all, it would advance at the slowest pace possible! Instead of shying away from personal attacks, consider the other perspective. We have here users like ertil giving excellent knowledge and explanations voluntarily, users who accept and discuss in nice ways should be treated very well. Users who refuse and persist for nefarious reasons, not so much?

but how one can make a valid signature without a private key is the issue

This part is the easiest one.

I know it is not intended in any mean way, but if you would stop calling this easy that would help make some of us feel less stupid.  

You just put your data into the signature. See:

Code:

der_signature=304402204974206973206861726420746f2073746f702066616b65207075626c6963206b02206579732c2062656361757365206f66207075626b6579207265636f766572792e01
30440220                                                         //der encoding
4974206973206861726420746f2073746f702066616b65207075626c6963206b //r-value, equal to "It is hard to stop fake public k"
0220                                                             //der encoding
6579732c2062656361757365206f66207075626b6579207265636f766572792e //s-value, equal to "eys, because of pubkey recovery."
01                                                               //sighashes

To do that, you don't need any private keys. You just put your data in the signature, as they are, and that's it.

Yes! This is the way to explain it, thank you so much. It makes perfect sense now how it is constructed and what data it contains. It is actually even easier than I expected originally when I read about the fake public keys way of storing data or what some refer to as spam. I hope that people that want to store data on the Bitcoin blockchain fully utilize OP_RETURN and never go ahead with these alternative methods. From what I understand though, we can't really stop a malicious actor from doing anything at all using known methods? If they want to store data with UTXOs, fake public keys and so they can do it. We are merely creating incentives that encourages other behavior, right?

Private keys are needed, if you start from public key, and make a signature. But if you start from a signature, and make a public key out of it, then you don't need any private keys.

This is the one part where I can have understanding for the user here as long as he admits that our knowledge is wrong. I am certain that the only explanation that I have seen on this topic was that you absolutely need a private key to make a signature, but after the interactions in this thread it is expected that one adopts the new knowledge that was presented.

[ertil]

if you would stop calling this easy that would help make some of us feel less stupid

It is all about turning some text into ASCII hex bytes:

Code:

der_encoding=30440220
r_value:
49 74 20 69 73 20 68 61 72 64 20 74 6f 20 73 74   //hex
 I  t  _  i  s  _  h  a  r  d  _  t  o  _  s  t   //ASCII (space replaced with _)
6f 70 20 66 61 6b 65 20 70 75 62 6c 69 63 20 6b   //hex
 o  p  _  f  a  k  e  _  p  u  b  l  i  c  _  k   //ASCII (space replaced with _)
der_encoding=0220
s_value:
65 79 73 2c 20 62 65 63 61 75 73 65 20 6f 66 20   //hex
 e  y  s  ,  _  b  e  c  a  u  s  e  _  o  f  _   //ASCII (space replaced with _)
70 75 62 6b 65 79 20 72 65 63 6f 76 65 72 79 2e   //hex
 p  u  b  k  e  y  _  r  e  c  o  v  e  r  y  .   //ASCII (space replaced with _)
sighashes=01

So, if you use a site like https://www.asciitohex.com/ and put "It is hard to stop fake public k" as a text, you can get "49 74 20 69 73 20 68 61 72 64 20 74 6f 20 73 74 6f 70 20 66 61 6b 65 20 70 75 62 6c 69 63 20 6b" as hexadecimal representation, and then put it directly into r-value. And similarly with s-value later.

we can't really stop a malicious actor from doing anything at all using known methods?

We can, which is why Taproot commits to the public key in the hashed message. But it is not true for older address types than P2TR, which means, that by blocking it there, it could lead to unspendable funds.

We are merely creating incentives that encourages other behavior, right?

Well, if there is some OP_RETURN, then it can be simply ignored. But if you have a fake signature, with a fake public key, then you have to process it. Which has a bigger cost, than just skipping some bytes.

So, if more and more non-payments are blocked, then people will switch to more and more demanding transactions, which will require similar or more resources, compared to real payments.

This is the one part where I can have understanding for the user here as long as he admits that our knowledge is wrong.

There is one thing, that some filter enthusiasts don't understand: if they block more things, then spammers will adapt, and adjust. So, if currently just putting data in public keys works well, then they use it. But if filters will start throwing it away, and require a spendable key, then guess what: they will adapt, and adjust. And then, as demonstrated, they could start with a fake signature instead, and derive a public key from it, which will pass verification, but which will still be fake, and generated without knowing any private keys.

Which is why requiring to sign a key, before spending it, wouldn't work. Because the signature for verification can be faked, and used just once, to bypass that kind of protection. Or it could be spendable on-chain, and then, blocking it could affect real payments as well. Because then, you will need to look closer at the actual public key and signature, and block a subset of it. And how would you know, which things are used for data transfer, and which are for payments, if they will have the same structure and size?

[PepeLapiu]

But hoping every wallet follow same rule unlikely to happen, when some wallet either lagging behind or never implement certain feature.

It is impossible, especially with wallets that have many shitcoins and tokens on them. We may not be favorable to those here but they have huge user bases and are often also lagging behind in changes that may not be urgent.

If we change bitcoin in a way that makes existing wallets not function until they update, I think that qualifies as a pretty urgent thing, no?

In any case, we should look at the merits of a proposal on it's own. If it's a good proposal and beneficial to bitcoin, we can't deny the proposal simply because it causes wallet devs to work a little more.

What you claim goes above my pay grade. I'd have to consult with some people more knowledgeable than me.

The point I was making is that the claim that unspendable fake pubkeys can't be prevented is false.
The requiring a signed message is just one of those ideas.
We could also raise the dust limit which would make ubspeandable fake pubkeys more expensive.
And The Cat proposes to delete UTXOs under 1000 sats that are known spam.
The Lynx is also a similar proposal to The Cat but I haven't looked into it.

What I'd like to see is removing from the UTXO set any UTXO with small sat balance that are 4 or 8 years old or more, every year or so. Not sure how that would work, or at all. But worth looking into.

.... You are an idiot, or you think I'm an idiot.

No, we all *know* you are an idiot nocoiner cult member.

I get by on my looks alone.

None of the filters that luke censorcoin have out there will even slow down *what you think is* spam for more then a couple of hours perhaps a day or two.

Yes, I'm fully aware that less than 80% of nodes filtering something doesn't do much. And I am aware that large mining pools are effectively building a cartel to bypass the nodes policy.

But we can't get to 99% of the nodes running a filter without starting at 1% of the nodes first. As time grows core keeps looking more and more stupid and incompetent. And more plebs will switch to Knots or an other client.

And eventually, if the big pools don't get in line, we can make them get in line by putting the filters into consensus, as we are doing with BIP110.

[ertil]

Yet another example, this time with just P2PK, without any complex scripts: https://mempool.space/signet/tx/f29444019af06385d1b5dab6dacbe644144003354e06ee2f11f5c7972cd04929

The public key 03147c81d041b829fb446e39201d4f82f8c702ac62ec4e6ae17bd8c8741b7eafab is fake. Nobody knows the private key to that. And if you look at the signature, you will see this:

Code:

der_encoding=30440220
r_value:
48 6f 77 20 64 6f 20 79 6f 75 20 77 61 6e 74 20   //hex
 H  o  w  _  d  o  _  y  o  u  _  w  a  n  t  _   //ASCII (space replaced with _)
74 6f 20 73 74 6f 70 20 66 61 6b 65 20 73 69 67   //hex
 t  o  _  s  t  o  p  _  f  a  k  e  _  s  i  g   //ASCII (space replaced with _)
der_encoding=0220
s_value:
6e 61 74 75 72 65 73 3f 20 4d 61 6b 69 6e 67 20   //hex
 n  a  t  u  r  e  s  ?  _  M  a  k  i  n  g  _   //ASCII (space replaced with _)
74 68 65 6d 20 69 73 20 74 72 69 76 69 61 6c 2e   //hex
 t  h  e  m  _  i  s  _  t  r  i  v  i  a  l  .   //ASCII (space replaced with _)
sighashes=03

And then, how would you know, if 03147c81d041b829fb446e39201d4f82f8c702ac62ec4e6ae17bd8c8741b7eafab is a fake public key or not? For each and every P2PK, it can push some data inside the signature, or not. And you never know upfront, how exactly it will be moved later.

[PepeLapiu]

The public key 03147c81d041b829fb446e39201d4f82f8c702ac62ec4e6ae17bd8c8741b7eafab is fake. Nobody knows the private key to that.

I still don't get it. But how do I know that it's a fake pubkey, beyond just trusting your word for it?


 

[ertil]

But how do I know that it's a fake pubkey, beyond just trusting your word for it?

Because it is generated out of some ASCII data.

Let's get there step-by-step:

Code:

Q=025468697320697320736f6d652072616e646f6d2066616b65207075626b65792e

As you can clearly see, the message "This is some random fake pubkey." is stored in this fake public key. In this case, you can trivially see, that it is fake, and that nobody knows the private key to that.

However, because of how secp256k1 works, you can use addition and multiplication, and tweak any known public key, by any 256-bit number, in the range from 1 to 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364140.

For example:

Code:

Q=025468697320697320736f6d652072616e646f6d2066616b65207075626b65792e
Q+1=022F025BEB8013D34950DD718D2B613B8C4389E80903E9C3F5F4F59117E85F7406

And then, by looking at 022F025BEB8013D34950DD718D2B613B8C4389E80903E9C3F5F4F59117E85F7406 alone, you probably don't know, if it is fake or not. But if you know, that it was just incremented by one, then you can decrement it, and see it clearly:

Code:

P=022F025BEB8013D34950DD718D2B613B8C4389E80903E9C3F5F4F59117E85F7406
P+0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364140=025468697320697320736F6D652072616E646F6D2066616B65207075626B65792E

And then, you know, that nobody has a private key to that.

So, if you know that, then what is a signature? It is a relation between two public keys. One is usually stored in the output, and another one is included in the input. When you verify it, then you check, if it is correct. By starting from one public key, and adding some 256-bit number, and then multiplying it by another 256-bit number, you check, if it matches the other key. If there is a match, then the signature is correct.

Classically, you start from some public key, and when you can see some signature, then the key owner shows you, how to go from some upfront-agreed public key, which is Q-value, to some other, randomly picked public key, revealed in the signature as R-value. And then, everyone can verify it:

Code:

s=(z+rd)/k
sk=z+rd //private keys
sR=zG+rQ //public keys
R=(z/s)G+(r/s)Q

So, if you know some public key Q, then you can verify, that you can reach R, by using publicly known z-value, r-value, and s-value. Which also means, that if you know one private key, then you can easily calculate the other:

Code:

k=(z/s)+(r/s)d //private keys
R=(z/s)G+(r/s)Q //public keys

And then, in my examples, r-value and s-value is based on some ASCII data. So, I definitely don't know the private key to that. And then, if you have some fake public key, and you apply some addition and multiplication on top of that, then you still wouldn't know the private key to that modified key as well.

To sum up:

Code:

   Q                                    //unknown private key
   Q+known_number                       //unknown private key
R=(Q+known_number)*another_known_number //unknown private key

If I don't know the private key for Q, then I don't know the private key for "Q+known_number" or "Q*some_other_number" as well. Because if I would, then I could use the same operations on private keys, and get it directly from these publicly known equations.

Each and every signature is a relation, where you have some known addition, and some known multiplication. If you don't know the private key for the left side, then you won't know that for the right side of that equation as well.

[PepeLapiu]

Okay. I looked it up with someone smarter than myself. (not hard to find)

The solution is to require two signed messages. And that would prove your pubkey spendable.

But I don't see this as a practical thing to do for all outputs. Perhap we could require that all <20,000 sats UTXOs have 2 signed messages, with the exception of a re-used input.

This way, no minimum limit at all in spends. But the wallet will need to remain online while the transaction confirns, but only when one of the outputs is <20,000 sats.

[ertil]

The solution is to require two signed messages.

Challenge accepted. It is possible to generate some fake signatures for the public key, used in the Genesis Block:

Code:

fake_signatures.py 04678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb649f6bc3f4cef38c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f
981c008269574d9bb73a2e781270e2163297b3d3ca9645b5e0664ffcbb19e78a,3cc2a888bae4811e75e64e19f2ce668951a3520e93e31a74b4cd4e9ce9508839,ed97aea4f9b66aca0c41ac88c2f0d90ef2ad269af0951ba2b07c70f7d1542b3c
53b9632a4250eb518426a545daa99fc6a72addfcb62714fbe81e269cd9ee39e8,62cbe3cc5eec2cbcbf61793a1d94414b43536c0e9219da703be5f141c46fa364,166db19e268d41b8cb76eedb50c57969635bcce2218b1921df45656a24de751a
a050e9237241c02d17684df9b9039fd707fcecb2fbd9d46af95dfeb6ef1daaa3,5e3bd1a08a7418066e4231adbfa23cc969617bb67f35a5f9a4d1ebae9a196fc7,a20a81207eb5aa382759debfc3ca98d4a3cf85474c9dbb6684dbd5bae3abe58d
9f2e42881a9cd3ddd088ebc77857beb9929c42e76e3b3ab7d1928652d2b731cf,0a4353b1fe7c167d63eaa45aeb23f83d219fd31ca74a17adc84cb18bc3184833,32a9cacbb64e5679eb40dfca1192bccc3db0e19d63d1e68286fe119d7d494c8a
a46f5889983efb70e00927f5afeeb2c4042783ca36525968657e339416a6bd8d,185c697570158909298fb10019d7a3e62ed647e9a6ecd1992f3d3098a498eec9,dcd110dd05f2ef9bb46639b0abe858a545bc61f1cd0e5462f41e7003d5f68bba
8ca48464e4dd3789ec41b83827b93e840471cfce2c8e6349e4087f56c335991f,6fb96292e9a2e5480085d9b8f69bd6aa62cee3b76b090cd5d5e25f8ce253adea,b6b20ab75d2ad6e8e79fe3fdc9e28a66e2a6acecfe87a7f33cb5c3fba1d070d3

So, what now? There are around 2^256 possible public keys. If you block key Q, then people will use Q+1, then Q+2, and so on. There are many ways to produce fake signatures.

By the way: don't you see, that fighting with the spam makes it worse and worse, because spammers will just adapt, and adjust?

And that would prove your pubkey spendable.

Some of these fake public keys are spendable. There is a difference between some fake key, and some invalid key. For fake keys, it is hard to find a matching private key, but it is mathematically possible. For invalid ones, it is always impossible, and these funds are comparable to OP_RETURN, because they will never move.

[PepeLapiu]

By the way: don't you see, that fighting with the spam makes it worse and worse, because spammers will just adapt, and adjust?

That is a defeatist attitude, one I'm not willing to endorse. And strangely enough, it comes from the same people who call spam "new use cases we have today".

And that would prove your pubkey spendable.

Some of these fake public keys are spendable. There is a difference between some fake key, and some invalid key.

Yes, I'm already aware, thank you.

I'm running your info up to someone who knows more than me.