message signing: is it safe to publish the address, message and hash

1

I want to use message signing in another application to prove a particular wallet owner did in fact make the transaction. This as I understand it is what message signing/verification is for.

I just want to confirm that making the address, the message, and the hash fully public (open for the world to see) does not compromise the wallet security. Also if I did this thousands of times on the same address, but each with a unique message and hash, the private keys would remain secure.

Thank you.

Scalextrix

Posted 2017-09-29T07:39:20.420

Reputation: 199

Answers

3

It shouldn't compromise the private key. Notice that publishing a message along with a signature is a common thing, and is necessary to verify the signature. Publishing also de Bitcoin address is similar to give the public key, since the former can be derived from the latter (actually, once you redeem your first transaction by signing it, you will provide the public key in the blockchain).

However, since you what to reuse the same key for signing multiple messages, there is something you should have in mind. There exist a well-known ECDSA vulnerability that affects the signing process, and by which if two different messages are signed using the same private random value k, anyone who knows the two original messages and the signature can derive the private key used to sign the messages. This is not likely to happen, since k should be chosen at random and from a good source of randomness, however some buggie implementations of the signature had lead to private key disclosure.

In order to ensure that this won't happen, you should use a deterministic ECDSA signature, in which k is chosen deterministically over the message to sign. Several wallets, like the Bitcoin Core, implement such a mechanism by default.

sr-gi

Posted 2017-09-29T07:39:20.420

Reputation: 2 382

Thanks, so if I could use a different address (public key) for every signature, this would prevent any possibility of private key disclosure, even in (known) buggy implementations?Scalextrix 2017-09-29T15:08:57.520

And a follow up, is there an easy way to check if a wallet uses the deterministic ECDSA signature?Scalextrix 2017-09-29T15:13:45.787

It should, at least for the issue I'm talking about. Regarding checking if a wallet is implementing a deterministic signature scheme, the easiest way I think will be signing a message twice. Given a message and a private key, if you sign the message twice and the signature is the same, then the signature scheme is deterministic.sr-gi 2017-09-29T15:50:03.483

Right that makes sense!Scalextrix 2017-09-29T16:34:15.087