To create the signature in Bitcoin you use ENCRYPTION by mean of a variant of El-Gamal elliptic curve Private Key. To authenticate you use DECRYPTION to "open" the signature with Public Key. So why you claim that encryption is not used - unless the above is wrong? For some reason persons in the field "assume" that encryption is relevant only of you are encrypting the message itself - encryption of an HASH is still encryption. – Moti – 2019-11-15T19:25:44.900

1While ECDSA is closely related to ECIES, and they both use elliptic curve cryptography, the purpose of a signature algorithm is that of authenticating the origin of a message to any verifier whereas an encryption scheme's purpose is to obfuscate a message from anyone but the recipient who holds the corresponding secret. Given the different purposes, the algorithms differ in trade-offs and attack surface. ECDSA is not an encryption algorithm. – Murch – 2019-11-15T20:25:50.840

The integrity of the document is assured by the hash (given the low probability to create a document with same hash). The user authentication is assured by encrypting the hash with the private key and later decrypt the encrypted hash with the public key (assuming that it is extremely difficult to find the private key). The purpose of the signature (thus the use of private key) is to authenticate the sender of the message and the purpose of the hash is to maintain the integrity of the message. Encryption is a process that maintains message while avoiding exposure. Hashing kills the message – Moti – 2019-11-15T21:44:36.560

I am seeking a response to the argument - someone that claimed to be an expert on Bitcoin claimed that there is no ENCRYPTION and I am trying to understand what is wrong with my argument. As far as I understand, when you have a bit-stream and you use a means called "private key" to generate a bit-stream based on the original and than you use a "public key" to uncover the original bit-stream - you use encryption. And this what is done in Bitcoin to the best of my understanding, in Bitcoin. Am I wrong? Where? – Moti – 2019-11-15T22:12:58.063

1While the math is similar, it's not an encryption algorithm, because you're "encrypting" to public information. It's like saying steering a boat and locking a vault is the same thing because you turn a wheel. It's superficially similar, except in all the ways that matter. – Murch – 2019-11-15T22:20:04.943

5There is no encryption involved, and ECDSA is not an encryption algorithm. This is trivial to see because there is no way to "decrypt" and get the message hash back out of the signature, even if you'd have the private key. There is a sign(privkey,message) algorithm that produces a signature, and a verify(pubkey,message,signature) algorithm that returns true or false. Verification in no way "decrypts" the signature; it's just an equation that holds for valid signatures, and not otherwise. – Pieter Wuille – 2019-11-15T22:39:09.533

I agree that ECDSA does not require the decryption, the only reason is because the HASH is available (the document). As result you could verify that the HASH was used to generate the encrypted version of it, that was sent with the document. I believe that the only reason for this is simplifying the computation rather than go through the decryption of the signature. So, is half decryption for convenience is regarded using encryption or not?:) – Moti – 2019-11-17T08:21:35.737

2

Hi Moti. You seem unpersuaded by Pieter and Murch. Perhaps you'll find it more convincing from the person who invented Bitcoin: "Bitcoin does not use any encryption." (Satoshi Nakamoto, Bitcoin v0.1: https://github.com/bitcoin/bitcoin/blob/4405b78d6059e536c36974088a8ed4d9f0f29898/readme.txt#L36)

1@Moti Verification does not involve either decryption, or re-encrypting and comparing. It's simply this equation: a signature is a point R and a number s such that sR = HASH(message)G + (R.x)P (where G is a constant, and P = dG is the public key, with d the private key). Given s and R, and P (or even d), there is no way to compute even HASH(message). Note that you cannot divide by a point - that's the computational hardness assumption ECDSA is based on. – Pieter Wuille – 2019-11-18T19:04:27.280

1"As far as I understand, when you have a bit-stream and you use a means called 'private key' to generate a bit-stream based on the original and than you use a 'public key' to uncover the original bit-stream - you use encryption." Right, and bitcoin doesn't do this. There is no "uncover the original bit-stream". What exactly do you think is recovered? – David Schwartz – 2019-11-19T05:24:40.410

I accept the fact that the intent is not to "hide" information but only to verify that the "signature" is authentic by means of the public key. – Moti – 2019-11-19T20:42:03.830

1@Moti (r=0x35c744204f46c0856598cdcc087657eb729c9b75c3c0046f034f9fcf27ab1d8f, s=0x2e0a825c693a34d7044562c0020d3157e621f714f80e1c79fe99957859cb096f) is a valid secp256k1 ECDSA signature for public key 0x0279BE667E F9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798 (the generator, with private key 1). If this is an encryption scheme, you should be able to figure out what the message (or even message hash) is (even without access to the private key, because verifiers generally don't have that). Turns out that recovering the message from the signature is just as hard as forging a signature. – Pieter Wuille – 2019-11-19T22:36:28.290