Topic: How does one derive a SegWit address from a legacy address? [0.001 BTC Reward!] (Read 456 times)

Well, I said "not exactly" so it is somewhat correct and when I said "false" I mostly meant the second part of what I quoted.
But basically when you are talking about elliptic curves in general, G is simply a point on the curve. In a specific curve like secp256k1 which bitcoin uses, there is only one G that is used as a standard for that curve.

@Coding Enthusiast Thanks for being more precise and correcting me. I would like to clear up few more things from what I have read.

So, you do say that they are not constant. But from what I have read in Mastering Bitcoin Book, the author says that "G is a constant point and they are always same for all keys in bitcoin."

Thanks for clearing it up. I was completely unaware of the weight, although I have read that segwits fees are calculated based on the virtual size of the tx.

https://gyazo.com/72b4eb7abbdc286520535da7cbea1648

Worked like a charm. Thank you so much!

As far as I understand the algorithm, there is only one possible P2SH-P2WPKH with current and only witness program version and that's what this code is giving you.

Cool. I'm currently installing both VS and .NET Core.

I have a question: since a legacy address corresponds to several SegWit addresses, how does your program know which one to get? I specifically need a way to derive 3H2miXstFo3jRFfz5ekcdZJNMfGSYHeNvB from the 1XXX address. Is this doable?

I've added the files I mentioned above with a release which you don't have to use if you compile it yourself.
I've also added a bunch of comments in the main function to clarify what is happening. The rest of the code is also fully documented (since I copied them over from my main library project) so the functions purposes should be clear enough.

Thank you very much! I've never run something like this before, so I'm currently installing Visual Studio to open this up. Feel free to drop your bitcoin address anytime. If this works, I'll update the thread. I appreciate it!

Here you go. https://github.com/Coding-Enthusiast/AddrConverter (going to add ReadMe, License and release in a minute)
And don't worry about "reward".

That would be a massive help! If you can code up something that links the two addresses, or point me towards an online resource that does the job, it would be amazing. You'll get the reward as well, if you care for that sort of thing  Bless you!

Well those applications all have the code to do all these stuff but they don't usually expose the functions through any kind of CLI because it is not used. You'll have to write something yourself. I can put together something for you in c# for the first part only (not the public key recovery) if you like.

Thanks. So I'm trying to figure out how to do the first method, but I'm not sure which app or website to input the steps in. I tried it in Bitcoin Core and coinb.in; didn't seem to work. Please do excuse my ineptitude.

Things you can not do:
- Get the 1xxx address from 3xxx address
Things you can do:
- Get the 3xxx address from the 1xxx address¹
- Get either 1xxx or 3xxx or basically anything else if you have published a signature with a message that you signed (this includes transactions that were spent from that key)!²

Here are the steps for (1)
1. Having the address starting with 1, perform a Base58check_decode on it to get the byte array remove the first byte as it is the version byte. The next 20 bytes are the hash160 (you can also open the address in blockchain.com explorer and it shows you the hash160 result!)
2. Write the "witness script" for the current version of SegWit which is
3. Perform HASH160 hash on the result of step 2
4. Append the P2SH version byte (=0x05) to the beginning of the result of step 3 and perform a Base58Check_encode on the result
=> now you have your P2SH-P2WPKH address that starts with 3.

Here are the steps for (2):
1. Decode your signature (base-64) and throw away the first byte. Then your first 32 bytes are your r value in little-endian order and the second one is s.
2. Append the default message to  your message (Bitcoin Signed Message:\n) with its length. Compute double SHA256 of it. This is the "message".
3. Recover your public key by knowing (r,s) and message. (I haven't released my library yet to add that as a reference but you should be able to find  this option in any library such as OpenSSL that has ECDSA capabilities)
4. Perform HASH160 on the compressed public key as bytes.
5. Feed it to step 2 of above.

This is the reference but in my opinion it is very vague: https://bitcoincore.org/en/segwit_wallet_dev/

Damn, that sucks.

Welp, for the next 24 hours, I'll give a 0.001 BTC reward to anyone who can figure out how to link the 1XXX address to the 3XXX address without me having to retrieve the Ledger from its stored location. I sure as hell can't figure it out; maybe someone else can. The reward will expire after a day, because I may want to spend my money after that 

Standards for Efficient Cryptography SEC 1: Elliptic Curve Cryptography
Section 4.1.6 Public Key Recovery Operation (Page 47)

I honestly don't know. I still have not been able to figure out how this particular type of address is derived from keys.

That's pretty cool, thanks.

So I've been Googling around. Using validateaddress in Bitcoin Core gives me "scriptPubKey": "a914a84658b58e2bd0e62bfb1905dfcc19415bf99ff387" when I submit the address 3H2miXstFo3jRFfz5ekcdZJNMfGSYHeNvB. I wonder if this has any relation to the public key or the 1XXX address.

Just curious, is there any documentation as to how you just did that?

I have actually never had the chance to learn how nested-SegWit addresses work. But since they are derived from one public key and by publishing your signature + your address (1xxx) you are revealing your public key, it should not be hard to get the 3xxx address from it.
The public key of the address you linked is:

Thank you, this is the closest thing to the answer I'm looking for in the thread.

Another question: I've locked up my Ledger for the time being. Is it possible to prove the link between the 1XXX address and the 3XXX address without having to re-sign another transaction?

By the way, here is the signature in question: https://bitcointalksearch.org/topic/m.50361478

This part is false.
G is not exactly a "constant" and is not derived from the curve. G is one of the point on the curve that we have chosen as the "generator" of the curve. And that means multiplying any value from 1 to order of G yields another point (not a string of characters!!) on the curve which would be your public key. And that is the basic of asymmetric cryptography.

This is false. Legacy transactions don't have higher size, they have higher weight.

FTFY

This if false. The number of characters can be different and it is between 25-34.
58 is the total number of characters in the base we are encoding this to. eg. Base-16 has 16 characters.

---

In any case to answer OP's question the problem is that when you are proving ownership of an address, what you really are doing is that you are creating a signature similar to when you sign a transaction. And when others verify that, what they really do is that they recover your public key from that signature then verify whether it is valid or not.
Where does address come in? Basically nowhere. We also include the address because when they recover your public key from your signature they might end up with multiple possible public keys, including the address helps narrow the possibilities down to only 1.
What about SegWit addresses come in? The problem is that there still is no standard for them. I saw one of these hardware wallets (Trezor?) had a personal defined standard where they added 1 byte to the first byte of the signatures. But apart from that, you won't find anything globally accepted.

Since this IS possible your only option is to ask the wallet developers to add such functionality for you or come to some sort of agreement with the other party you are trying to do a "proof of funds" with to come up with some sort of standard like sending a transaction out of the address with a message attached would work but it will cost you fees.

Oh sorry, I actually thought you were talking about Electrum instead of Ledger for some reason. Exporting the private key to sign it in a different wallet would break your hardware wallet security. So that’s not recommended.