How to sign a text message?

[valley365]

Maybe it's a dumb question, but I can't find the function to sign a text message itself.

In key.h, two sign function defined:

    bool Sign(uint256 hash, std::vector<unsigned char>& vchSig);
    bool SignCompact(uint256 hash, std::vector<unsigned char>& vchSig);

but both work on the hash of the message.

This is how the system works:
text message->hash->(sign)->signature

now both text message and signature are sent to destination, and signature->hash then compared to text message->hash to determine if the message is altered or not.

But I want to do this:
text message->(sign with private key)->(signed message broadcast)->(at destination)->sign with public key to get message.

Is there a function available in bitcoin for this purpose?

[1715409687]

1715409687

[1715409687]

1715409687

[1715409687]

1715409687

[DeathAndTaxes]

No.  public key cryptography is particularly expensive so a hash of the message is always taken.    If the cryptographic hash is secure then it serves as a proxy for the actual message (which can be of arbitrary length) as one can't change the message without producing a different hash.   Since text messages are short you in theory could sign the message directly however this would be non-standard, it isn't just not supported by the bitcoin source code, it wouldn't be supported by any standard crypto library either.  The message would also need to be less than the n parameter of the curve which for secp256k1 is 256 bits or ~32 bytes (characters).  You could write custom code to implement this but it would be very proprietary, extremely limited, wouldn't be verifiable by any standard library, and I am not sure what you gain over just signing the hash of an arbitrary message.

[TimS]

https://github.com/bitcoin/bitcoin/blob/master/src/qt/signverifymessagedialog.cpp#L146

Here's the code in the dialog box that does the actual signing:

Code:

key.SignCompact(Hash(ss.begin(), ss.end()), vchSig)

So yes, actually, it does work on a hash of the message! The signature only covers a hash of the message, it doesn't tell you the message itself or the address that signed it. That's why those fields are included in cleartext in the format you see here: http://brainwallet.org/#verify

[valley365]

No.  public key cryptography is particularly expensive so a hash of the message is always taken.    If the cryptographic hash is secure then it serves as a proxy for the actual message (which can be of arbitrary length) as one can't change the message without producing a different hash.   Since text messages are short you in theory could sign the message directly however this would be non-standard, it isn't just not supported by the bitcoin source code, it wouldn't be supported by any standard crypto library either.  The message would also need to be less than the n parameter of the curve which for secp256k1 is 256 bits or ~32 bytes (characters).  You could write custom code to implement this but it would be very proprietary, extremely limited, wouldn't be verifiable by any standard library, and I am not sure what you gain over just signing the hash of an arbitrary message.

OK thanks for the info. But if a client wants to send a private message to another client, he will not be able to do it with hash only, as it is not invertable to message, he has to make the message public and + signature so the receiving party can verify the message unaltered, but the message itself will be seen by everyone.

In this case will need some special implementation as you described? I am still surprised that this function is not available, as I thought public-key encryption is a common use case for public-private key pair.

[valley365]

https://github.com/bitcoin/bitcoin/blob/master/src/qt/signverifymessagedialog.cpp#L146

Here's the code in the dialog box that does the actual signing:

Code:

key.SignCompact(Hash(ss.begin(), ss.end()), vchSig)

So yes, actually, it does work on a hash of the message! The signature only covers a hash of the message, it doesn't tell you the message itself or the address that signed it. That's why those fields are included in cleartext in the format you see here: http://brainwallet.org/#verify

Yes but I am looking for a function that can sign a text message, instead of a hash...

[DeathAndTaxes]

The purpose of signing is not to hide the message it is to authenticate the message.  It sounds like you wish to have the message encrypted not signed.

There are encryption algorithms which work using ECC keys and curves but none of them are used by bitcoin.  The bitcoin protocol uses no encryption at all (although some client side encryption is used to protect private keys). 

Here is an example of a ECC based encryption protocol:
http://en.wikipedia.org/wiki/Integrated_Encryption_Scheme

[DeathAndTaxes]

Yes but I am looking for a function that can sign a text message, instead of a hash...

There IS no such function.  The max length of the digest that can be signed is <256 bits (<32 ASCII characters).  This is a limitation of how ECDSA works.  As there is almost no use for signing a message directly with that limitation a hash is used instead.  So even in cases where the message IS less than 256 bits it is still customary to take a hash of the message and sign that rather than deal with this extreme edge case differently than all other messages >256 bits.  

It sounds like you are trying to use the wrong tool for the job.   The purpose of a digital SIGNATURE algorithm is to digitally SIGN not ENCRYPT messages.

[valley365]

Yes but I am looking for a function that can sign a text message, instead of a hash...

There IS no such function.  The max length of the digest that can be signed is <256 bits (<32 ASCII characters).  This is a limitation of how ECDSA works.  As there is almost no use for signing a message directly with that limitation a hash is used instead.  So even in cases where the message IS less than 256 bits it is still customary to take a hash of the message and sign that rather than deal with this extreme edge case differently than all other messages >256 bits.  

It sounds like you are trying to use the wrong tool for the job.   The purpose of a digital SIGNATURE algorithm is to digitally SIGN not ENCRYPT messages.

OK, very good. Thanks a lot for the information. I got it now.