Possibility of contructing a valid transaction without knowning private key

1

From here you get that in step 2 of ECDSA sign process, you use z, the Ln leftmost bits of e = HASH(message/transaction) in both the process of generating and verifing the signature.

I understand that in bitcoin transactions signature and verification you do almost the same algorithm.

So...

You know that adress A has a transaction x to it that values in 1 BTC not spent.

You know also a transaction y1 from A with a certain signature and a certain value z1, as the algorithm in the link says.

Could you create a transaction y2 so that it sends the 1 BTC from A to adress B by creating it in a way that it had the same z1 (mentioned above) and consequently the same signature of y1? (since signature depends only on message (z), private key and the random value k)

This transaction y2 would be valid?

Legust

Posted 2017-08-28T00:30:03.303

Reputation: 13

Answers

3

Yes, but that is hard. This is known as a collision, and you would be finding a collision in SHA256. Because you would be reusing a known hash, what you would be doing is performing a preimage attack. Since SHA256 has no known preimage attack for all 64 rounds done in a normal SHA256 hash, you would need to do 2^256 hashes in order to be guaranteed to have found a colliding preimage for that hash.

This is why a cryptographically secure hash is used for signing operations.

Andrew Chow

Posted 2017-08-28T00:30:03.303

Reputation: 40 910