Hey guys, I just wanted to get your thoughts on this bitcoin message verifier page I created.
It’s at https://verify-bitcoin-message.js.org
I initially built it to learn more about the tech, but I also wanted a straightforward way to share and publish these messages.
If anyone’s up for it, translations would be a huge help right now.
When messages are published, a Github bot kicks in to automatically verify all the messages included and even gives proofs!
For instance, some time back, someone used hundreds of bitcoin addresses to sign a message.
I went ahead and published those signed messages on behalf of the signer.
Check it out here: https://github.com/mothepro/verify-bitcoin-message/pull/17
Verifying signed bitcoin messages
4 replies 315 views
The tool works correctly, but it says things, which can be wrong in some cases. Because the correctness of the signature doesn't prove, that the coins are spendable, if it was artificially generated, without dealing with any private keys at all.
For example:
Wrong, the private key is unknown. If it would be known, then secp256k1 would be broken.
Wrong, the signer can only sign "Hello World" specifically, and nothing else, because the private key is unknown, and the public key was created from the signed message and signature public key.
For something that made for learning purpose, it's good enough. I just want to suggest to consider showing all entered data (address, signature and message) after user clicking button "Verify".
Interesting. I tried using other website mentioned on OP's website and they have same issue. Electrum says "Invalid address" on "Sign/verify message" windows, although Electrum let me import the address on watch-only address.
For the curious, the payload in question is: https://verify-bitcoin-message.js.org/?address=1psPJZYEJrjPtY6kw5Tqtj4mW2yXSSDuH&message=Hello+World&signature=GwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE%3D
Are you able to explain more about how this signature was generated then?
My best guess is the message "Hello World" was chosen, then signature uses some simple points on the elliptic curve to generate a public key.
But then the public key shouldn't map to a valid address?
I implemented a Base58 checksum (which shouldn't validate) AND mempool.space should throw an invalid address error.
It sounds like message signatures are only useful if you expect a specific address (or a set amount of coins in the address).
Great feedback, added a "View Details" button to see the entire payload as json. Thanks!
Sure:
https://bitcoin.stackexchange.com/questions/77324/how-are-bitcoin-signed-messages-generated
https://en.bitcoin.it/wiki/Message_signing
1. Take some public key, where you don't know the private key, and turn it into R-value. For example:
2. Take some signature s-value. It could be anything at all, in range from 0x1 to 0x7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0:
3. Encode (r,s) with base64:
Here, "1b" is a simple prefix, that can tell, how the public key should be exactly recovered. But if there is any correctly implemented signature validator, then the right prefix can be simply bruteforced, because there is something like 8 combinations or so (and other ones are just to check, if the public key is compressed or not, and in which address type it should be wrapped).
4. Take any message you want, and hash it properly:
5. Use public key recovery:
And now, you can easily check, that 1psPJZYEJrjPtY6kw5Tqtj4mW2yXSSDuH is not just a random address. It is generated from 04 753402E9699F1944EB22A8133A40BC2705FFB7B4E93E2DFBF18948C2AE5227B7 01BBAECE9C0009BA53614C48EEB0F1E01C737CEB906432A8D204327C70018060 public key, and it is enough to pass ECDSA validation.
However, the knowledge of this public key, does not require the knowledge of the private key. Also, it is possible to pick someone else's public key, and put it into R-value, instead of 020000000000000000000000000000000000000000000000000000000000000001. Then, a given recovered address will be spendable only by that person.
Here is another example, which will pass verification:
As you can see, the message is completely different, the signature is exactly the same, and the recovered address changed to something else. But nobody can move any coins from 1D2w953S1GgTHa2tRA5kuFwfuUkw9jt5ip, as long as the private key to 020000000000000000000000000000000000000000000000000000000000000001 remains unknown.
Link to your site: https://verify-bitcoin-message.js.org/?address=1D2w953S1GgTHa2tRA5kuFwfuUkw9jt5ip&message=I+am+Saint+Wenhao%2C+and+I+can+use+public+key+recovery.&signature=GwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE%3D
As you can see, verification passed, but "The signer can spend bitcoin from the address" is a lie, because only public keys were used, to generate all of that, so private keys are unknown, even if the signature can pass verification.
?Reply
Sign in to reply to this topic
Related topics
- Bitcoin Core displaying coins (UTXOs) in a new tab 13
- Are you in favor of BIP-110? Let's get a Bitcoin poll going. 0
- Erlay seems to have some issues here’s a better proposal for a bitcoin protocol without invites 3
- Ways to earn some sats by contributing to bitcoin core development 5
- Exploring the Potential and Challenges of a Kardashev-Scale Bitcoin Network 3
- What can I do to fix this Bitcoin Core error? 8