7
2
Let's say my Bitcoin address is 1Nu5mzpUD9A7daZ76QJEsBfkBjCWVLh7pJ and I sign the message random-challenge with its private key.
The result is :
IAjU1mpvy70Li2Q1jDaNJKaQudaAJia1oF9SYJ8HGGuNffT9ERmc77WgPMONPLHKAhO8d0bhDF5Nvn+AUzS6R04=
Bitcoin uses a unique property of ECDSQ which allow to calculate the public key from the message and signature. So if I send to the recipient the above message and signatures he/she will be able to get my address 1Nu5mzpUD9A7daZ76QJEsBfkBjCWVLh7pJ
Now, if I send the same signature and a completely different message, will it derive all the time a valid random Bitcoin address ? And if yes, doesn't this have some serious security implication allowing people to prove they control an address without having the private key ?
1If you change the message, the signature won't verify. You might be able to compute a value that looks like an address, but nobody will believe it's an address that you control. – Nate Eldredge – 2014-04-03T15:23:40.320
How can they make the difference between a real address and an address (valid) that I forged/extracted from the message and signature ? – EricLarch – 2014-04-03T15:37:36.070
No, that's what I'm saying. You don't tell the difference by looking at the address, but by seeing whether the signature verifies correctly. – Nate Eldredge – 2014-04-03T15:39:58.123
But it does verify ! I took a valid signature, I took a random message, and I found an address where verify_signature(signature, random message, forged address) is true – EricLarch – 2014-04-03T15:43:03.567
I may not be understanding what you are doing. Can you give a complete example? – Nate Eldredge – 2014-04-03T19:26:42.413
I found this relevant post on Crypto.SE, in which they conclude that an analogous attack against RSA is (sort of) feasible: given a signature S (that signed some message M1 using a secret key K1) and a second message M2 of your choice, you may be able to find a key K2 such that S validates as a good signature of M2 by K2. There's no discussion of the ramifications, but Crypto.SE might be a good forum for more expert opinions.
– Nate Eldredge – 2014-04-12T03:49:10.827I asked a new question about this on Crypto.SE: http://crypto.stackexchange.com/questions/15538/given-a-message-and-signature-find-a-public-key-that-makes-the-signature-valid
– Nate Eldredge – 2014-04-12T04:01:51.933