So, here’s the deal,
the beginning of the script shows the usual way to create valid signatures using a private key with ecdsa secp256k1. There are tons of libraries out there that handle this too.
What struck me is that if we use the same verifying values for u1, u2 and the public key, we can actually generate signatures just from the public key and still get the same r, s, z signatures.
This means that with random values for u1 and u2, it’s possible to produce multiple valid signatures using only the public key.
You can grab and try out the code here. https://github.com/KrashKrash/public-key-signature-generator
Now, can this be used to forge signatures? Can you replicate the same r values? Are there any mathematical vulnerabilities you could introduce?
The short answer to the first two questions is No. The signatures are generated deterministically. With specific u1 and u2 values, you'll only end up with a particular set of r, s, z values. But it's definitely some cool info for those interested in the math behind it.
Generating Valid Signatures Using Only the Public Key
2 replies 275 views
I'm not an expert in this area, but if z isn't derived from the message, then the same signature can be applied to any message (assuming that you don't verify the hash).
Read this: If someone wanted to pretend to be Satoshi by posting a fake signature to defraud people how could they?
i have read it. hmm.. some ideas are running in my head now. the formula he had used is essentially what had been done above. its the same. 2 random scalar values for r sig but the things said in there are really giving me a few theories. thank you very much.
Related topics
- Extracting R values from blockchain signatures 14
- Using Cold Electrum with Core in watch mode 11
- Bitcoin Core displaying coins (UTXOs) in a new tab 13
- Are you in favor of BIP-110? Let's get a Bitcoin poll going. 0
- Erlay seems to have some issues here’s a better proposal for a bitcoin protocol without invites 3
- New Optional Hourglass Implementation is Live 3