Author

Topic: Encrypt a message using Bitcoin Public Key and decrypt with private key?Like PGP (Read 425 times)

kzv
legendary
Activity: 1722
Merit: 1285
OpenTrade - Open Source Cryptocurrency Exchange
What do you call the receiver private key? It's the private key of the message receiver? Why would you need to send him your public key? If he's the message receiver it's him who need to send you his own public key, no?

Example
Alice want to send encrypted message to Bob
Alice and Bob have keypairs (alice_public_key & alice_private_key; bob_public_key & bob_private_key)

Alice need to know only Bob's public key. This bob_public_key can be obtained from any Bob's transaction in blockchain.
Alice calculate
Code:
shared_private_key = alice_private_key * bob_public_key

Now Alice can encrypt any message with the shared_private_key like this:
Code:
encrypted_message = AES_ENCRYPT( 'hello Bob!', shared_private_key )

Now Alice can send to Bob encrypted_message and alice_public_key.

Bob calculate
Code:
shared_private_key = bob_private_key * alice_public_key

Now Bob can decrypt message like this
Code:
decrypted_message = AES_DECRYPT( encrypted_message, shared_private_key )
assert( decrypted_message ==  'hello Bob!' )
legendary
Activity: 2604
Merit: 2353
Yes, it's a technical limitation.  Sending by bitcoin address enters the transaction into the network and the recipient discovers it from the network.  You don't connect directly with them and they don't have to be online at the time.

I very much wanted to find some way to include a short message, but the problem is, the whole world would be able to see the message.  As much as you may keep reminding people that the message is completely non-private, it would be an accident waiting to happen.

Unfortunately, ECDSA can only sign signatures, it can't encrypt messages, and we need the small size of ECDSA.  RSA can encrypt messages, but it's many times bigger than ECDSA.

Satoshi was wrong here.
Though ECDSA can't encrypt messages itself but ECDH can do it!
So if I will get public key from any (most of) bitcoin transaction, then I can encrypt any message with shared_private_key = receiver_public_key*my_private_key. This message can only be decrypted by me and by owner of receiver_private_key (if I send him my_public_key)
This algorithm can be easily implemented in bitcoin client as private-message system.
What do you call the receiver private key? It's the private key of the message receiver? Why would you need to send him your public key? If he's the message receiver it's him who need to send you his own public key, no?
legendary
Activity: 1456
Merit: 1175
Always remember the cause!
The most critical problem of PGP is the lack of forward secrecy, IMO.
Briefly speaking it is about the risk of an exposed private key situation that compromises a secret message in the future. Implementing forward secrecy in current PGP implementations is possible though: peers can agree on a shared session key but it is not considered as a feature for PGP as long as it is not a part of the core key management protocol.

As of using bitcoin public keys for encryption of messages, it looks rather a bad practice both because of address re-use and lack of key management and no support for fame and mapping keys to real-world persons and entities. Note that implementing such a system on bitcoin would be worse because of dangerous privacy implications.
kzv
legendary
Activity: 1722
Merit: 1285
OpenTrade - Open Source Cryptocurrency Exchange
Yes, it's a technical limitation.  Sending by bitcoin address enters the transaction into the network and the recipient discovers it from the network.  You don't connect directly with them and they don't have to be online at the time.

I very much wanted to find some way to include a short message, but the problem is, the whole world would be able to see the message.  As much as you may keep reminding people that the message is completely non-private, it would be an accident waiting to happen.

Unfortunately, ECDSA can only sign signatures, it can't encrypt messages, and we need the small size of ECDSA.  RSA can encrypt messages, but it's many times bigger than ECDSA.

Satoshi was wrong here.
Though ECDSA can't encrypt messages itself but ECDH can do it!
So if I will get public key from any (most of) bitcoin transaction, then I can encrypt any message with shared_private_key = receiver_public_key*my_private_key. This message can only be decrypted by me and by owner of receiver_private_key (if I send him my_public_key)
This algorithm can be easily implemented in bitcoin client as private-message system.
newbie
Activity: 12
Merit: 0
I was studying a little about PGP. I am a total newbie at it.

But there are so many similarities to PGP and Bitcoin. Is it possible to encrypt a message using my public key, and decrypt it using my private key? Like PGP does. It would be something very nice to do, as Bitcoin clients are much more common and widespread than PGP related software (also easier to use).

I would like to be able to encrypt my messages using bitcoin key pairs. It would be really useful.

Maybe in future Bitcoin signatures could even replace PGP signatures? Is there any discussion about this? Or is it technically impossible ? I searched but couldn't find any.


I like the thought of using blockchain as a part of information security. The main goal is to maintain confidentiality while providing accessibility. However PGP is rather old. Are you also asking if we should integrate the complexity of the blockchain to add more security layers to the protocol for making informational or simple contract transactions (not just monetary) more secure?
legendary
Activity: 2604
Merit: 2353
Grin to answer the actual question though:

I'm not sure if ECDSA can be used to encrypt, I thought it was only possible to use it to sign with? (the DSA part breaks out as Digital Signature Algorithm)
Yes Satoshi already explained it

ECDSA can't encrypt messages, only sign signatures.

It would be unwise to have permanently recorded plaintext messages for everyone to see.  It would be an accident waiting to happen.

If there's going to be a message system, it should be a separate system parallel to the bitcoin network.  Messages should not be recorded in the block chain.  The messages could be signed with the bitcoin address keypairs to prove who they're from.

Yes, it's a technical limitation.  Sending by bitcoin address enters the transaction into the network and the recipient discovers it from the network.  You don't connect directly with them and they don't have to be online at the time.

I very much wanted to find some way to include a short message, but the problem is, the whole world would be able to see the message.  As much as you may keep reminding people that the message is completely non-private, it would be an accident waiting to happen.

Unfortunately, ECDSA can only sign signatures, it can't encrypt messages, and we need the small size of ECDSA.  RSA can encrypt messages, but it's many times bigger than ECDSA.
legendary
Activity: 2618
Merit: 6452
Self-proclaimed Genius
But it's not necessary to use your private key for decryption.
Really? I believed that for decryption the private key corresponding to this public key should be in the wallet.
Sry, yes;
after testing using my other wallets, it does require the prv key to decrypt the message.

This can work using an imported wallet with one dedicated private key for exchanging encrypted message.
Although, there's no real advantage over PGP/GPG.
legendary
Activity: 3710
Merit: 1586
The reason it doesn't get used as much is because it doesn't provide any benefits over GPG. GPG is actually more widespread and there is support in all email clients for it. With bitcoin only electrum supports it ATM.

Signing messages with addresses other than p2pkh ones is also not widely supported. So the authentication part is missing.

I'm not sure if ECDSA can be used to encrypt, I thought it was only possible to use it to sign with? (the DSA part breaks out as Digital Signature Algorithm)

Electrum uses something called ECIES. Only Electrum supports it though.
legendary
Activity: 1848
Merit: 2033
Crypto Swap Exchange
It's possible using Electrum's console.
In my opinion, this is easier to do in "Tools -> Encrypt/Decrypt message"
Quote
But it's not necessary to use your private key for decryption.
Really? I believed that for decryption the private key corresponding to this public key should be in the wallet.
legendary
Activity: 3430
Merit: 3080
there are so many similarities to PGP and Bitcoin. Is it possible to encrypt a message using my public key, and decrypt it using my private key? Like PGP does. It would be something very nice to do, as Bitcoin clients are much more common and widespread than PGP related software (also easier to use).

PGP/GPG is a good idea, but encrypting messages is only a small part of the concept.


The real idea is that it's basically a p2p id system, not just for encryption. It works like this:

  • Find people you know well
  • Get them using PGP
  • Put your public keys in a public place on internet
  • All your buddies attach a little text to your key, and sign the text with their key
  • The text should say something like "We went to school together since 5 years old", or "she's my aunt" etc

That's great for you guys, you all have cryptographically signed messages of everyone in your little group, saying how you know each other. Which is actually not so great, as you're just signing info all of you already know! Grin

But the power comes in later; when someone you don't know gets into the group, you're likely to trust your friend who signs their message that brings them into the group, and so you'll believe the message about how they know each other.

And if the newcomer is coming from another group of PGP buddies, then you have a link between your group and theirs, and you've got some kind of assurance that these people are who they say they are, and that they trust that about one another.

This is the so-called Web of Trust, and it never quite got moving. But, it does keep growing, and especially among computer programmers. The biggest group of PGP users who are all cross signing each others keys is around 60,000 or 70,000 people. A bit like with Bitcoin, more people doing the cross-signing thing makes the whole system stronger and more valuable. It's totally p2p, so just because the biggest group now is those 60,000 people, does not mean another big group couldn't grow to the same size (although there is a big incentive for the 2 group to merge, and nothing to stop 2 people from each big group cross-signing each others keys to make that merge happen, something a bit like that no doubt happened already)

PGP is a bit slow in development, and as you say, not the most user friendly. But you only have to learn it once, and you've got a different kind of infrastructure to Bitcoin, that's just as powerful, but for a different purpose.



Grin to answer the actual question though:

I'm not sure if ECDSA can be used to encrypt, I thought it was only possible to use it to sign with? (the DSA part breaks out as Digital Signature Algorithm)
legendary
Activity: 2170
Merit: 1789
-snip-

And it's already posted up there. Clue: #2nd post!

legendary
Activity: 1042
Merit: 2805
Bitcoin and C♯ Enthusiast
It would be nice to see one day people using bitcoin protocol to encrypt messages,

This is not related to bitcoin protocol, this is a standard scheme used in Elliptic Curve Cryptography. Since the private/public key pairs used in bitcoin are EC key pairs, ECIES scheme could be used with them.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
It's possible using Electrum's console.
But it's not necessary to use your private key for decryption.

Thank you. I will try later.

But this way it is far less secure... it would be good to encrypt with public key and decrypt with the private key, like PGP.

This will probably answer your question, in short it is possible, but not recommended as it encourages address reuse, could have privacy implications and could have interactions between protocols using the same key pairs.

Thank you.
The person who answered said that using systems that were actually designed for encryption is better... he is right ofc, but maybe an upgrade in bitcoin protocol in the future?
 It would be nice to see one day people using bitcoin protocol to encrypt messages, it could be easily done by users and would protect our privacy in our emails and other means of communication.

I don't see a problem with address re use here. You could use some addresses just for messaging, no big deal IMO.
legendary
Activity: 2618
Merit: 6452
Self-proclaimed Genius
It's possible using Electrum's console.
But it's not necessary to use your private key for decryption.

If you want to try, let's just use this address' public key: 1HZwkjkeaoZfTSaJxDw6aKkxp45agDiEzN (leaked brainwallet address)
04a34b99f22c790c4e36b2b3c2c35a36db06226e41c692fc82b8b56ac1c540c5bd5b8dec5235a0f a8722476c7709c02559e3aa73aa03918ba2d492eea75abea235

Follow this syntax encrypt('public key', 'message to encrypt'), example:
Code:
encrypt('04a34b99f22c790c4e36b2b3c2c35a36db06226e41c692fc82b8b56ac1c540c5bd5b8dec5235a0fa8722476c7709c02559e3aa73aa03918ba2d492eea75abea235', 'Test message to a leaked brainwallet')

The result is this encrypted message:
Code:
"QklFMQNS2Vu/26J7IFisRNH1tfkeUN4lUpOTp+vxuYrmA8cSFWlsqVCnAgjFgsXPXJDC5ihC2KmJs+fm5zgPF/2/DUmnU/t50Tz6tse57diRZ6Byt4K49ZLSKtV53MHommmjDgPA4oabgIx7xLkFmZDH6bAr"
This should be given to the other party who already knew your public key.

Then he should use this syntax to decrypt the message decrypt('public key', 'encrypted message');
for the example above:
Code:
decrypt('04a34b99f22c790c4e36b2b3c2c35a36db06226e41c692fc82b8b56ac1c540c5bd5b8dec5235a0fa8722476c7709c02559e3aa73aa03918ba2d492eea75abea235', "QklFMQNS2Vu/26J7IFisRNH1tfkeUN4lUpOTp+vxuYrmA8cSFWlsqVCnAgjFgsXPXJDC5ihC2KmJs+fm5zgPF/2/DUmnU/t50Tz6tse57diRZ6Byt4K49ZLSKtV53MHommmjDgPA4oabgIx7xLkFmZDH6bAr")
Will result into: "Test message to a leaked brainwallet".

Manually highlight & copy the codes 'cause sometimes, a space will appear at the end if you double clicked it.
legendary
Activity: 4228
Merit: 1313
I was studying a little about PGP. I am a total newbie at it.

But there are so many similarities to PGP and Bitcoin. Is it possible to encrypt a message using my public key, and decrypt it using my private key? Like PGP does. It would be something very nice to do, as Bitcoin clients are much more common and widespread than PGP related software (also easier to use).

I would like to be able to encrypt my messages using bitcoin key pairs. It would be really useful.

Maybe in future Bitcoin signatures could even replace PGP signatures? Is there any discussion about this? Or is it technically impossible ? I searched but couldn't find any.


This will probably answer your question, in short it is possible, but not recommended as it encourages address reuse, could have privacy implications and could have interactions between protocols using the same key pairs.

https://bitcoin.stackexchange.com/questions/80638/how-would-one-encrypt-a-message-using-a-bitcoin-public-key-and-use-its-priva

You might want to check out bitmessage for something similar to what you are asking if you wish to see how it could be implemented:
https://github.com/Bitmessage/PyBitmessage
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
I was studying a little about PGP. I am a total newbie at it.

But there are so many similarities to PGP and Bitcoin. Is it possible to encrypt a message using my public key, and decrypt it using my private key? Like PGP does. It would be something very nice to do, as Bitcoin clients are much more common and widespread than PGP related software (also easier to use).

I would like to be able to encrypt my messages using bitcoin key pairs. It would be really useful.

Maybe in future Bitcoin signatures could even replace PGP signatures? Is there any discussion about this? Or is it technically impossible ? I searched but couldn't find any.
Jump to: