Topic: How to prove to someone that an Bitcoin address (or UTXO) belongs to you? (Read 1139 times)

If we're strictly talking about certain way to prove ownership, then even giving private key isn't enough. There are many cases where user tricked into download fake/malicious wallet where the theft could use it to prove ownership.


Interesting idea, but it's not foolproof idea due to various hard-fork and claim altcoin with BTC address where there are people who buy & sell old bitcoin address.

If we are strictly talking about ownership (in terms of: i created the private key, it belongs to me), there is not a single method to absolutely be sure (in a bulletproof way).

A private key is not something one has, but something one knows. That's a big difference.

Proving ownership of a hardware token (i.e. a hardware token for pgp signing for example) can be done by signing messages easily.
But simply proving ownership of something you know is itself not possible (very strictly talking).

Information (something you know) can be duplicated. Hardware tokens (something you have) can not. Or.. at least they should not be able to be duplicated.


However, i think this is going way too far.
As per OP's title the question is how to prove that an address belongs to you. And regarding this, anything is fine. A signed messages (containing a random token + user not blatantly stupid to get phished) is the best way.
The question was not how to prove that one is the ONLY one who knows this private key. That's simply not possible.

This is a very bad practice, and I think you should not do this under almost any circumstances.

Giving someone your private key can potentially make you look very bad in the future. For example if you publicly state a particular address belongs to you, and the third party later goes on to do some nasty illegal or harmful stuff and that address is involved in receiving or sending a payment for this stuff.


I alluded to this point previously.

A signed message could be the result of the real owner being tricked into signing a message, or the real owner colluding with a third party, attempting to fraudulently prove they own a UTXO/address they do not own.

OK, i wrote this a bit too fast. I was thinking to create a random walk for the birthday paradox on the hash of the signature in order to exploit it the signature process but it ends in solving the discrete log using classic random walks (of course, with public key previously exposed). So it is even not necessary to create a random walk from the signature hash.

A birthday attack is applicable to hash functions, not encryption or signatures.

Further, with the birthday paradox you would calculate the probability of creating 2 messages which result in the same hash (any random hash!).
Not a second message with the same (given) hash which the signed one has.


This is not applicable in this case. Neither theoretical nor practical.

Right, this is the good way to do however it is better to define the full format of the message to sign (including restrictions on the fields) with the third party in order to prevent from a birthday paradox attack on the signature.

Then a malicious actor just needs to gain access to your master public key (xpub) to derive all of your private keys belonging to this HD wallet (non-hardened only).


Signing messages is fine to prove ownership.


Of course you wouldn't sign a message like "i own this address".
You would include your name, the current date and the reason for signing this message. And eventually even a random token from the person who wants you to prove the ownership.

A MitM wouldn't be useful in any way here.

I can't believe everyone got this wrong:

There is only one way certain way to prove ownership, and that is by giving your PRIVATE KEY to that someone.

After that moment, both you and them become "owners" of that address as both of you control the ability to sign messages and move funds (if any exist). If one of you discards the private key, and has no physical/mental backup of it, nor any recollection, they lose ownership.

1) Having a signed message that belongs to that public hash does NOT prove you have ownership, it's mearly proves to someone, that you possess that signed message, but you might or might not be the orginal actual signer or owner.

2) Showing that a dust amount from that address has been sent to another address of someone's choice, does NOT prove you have ownership, it only proves that someone, but not nessesary you, is the owner.

A good real life example of the misconceptions of 1 or 2 is all the OTC scams that take place, where the scammer is a man in the middle but appears to be an owner.

If you want to prove ownership of an address that has funds, you move the funds out first, and give out the private key, proving that at one point you possessed ownership of the previous address that had a balance. (Warning: giving out a single private key and xpub key for an unhardened hd wallet derivation can lead to an attacker taking all your wallet funds)

I would like to apologize if I was hurtful but I was a bit choked by the question of AntiMaxwellian.
Sorry.

Please keep the thread on-topic. Insulting each other is not on-topic. (This message will self-destruct)

It is not if you sign with a reputed secure software on a computer where you are alone (not subject to various side channel attack).

In fact the O(2^(n/3)) cannot be achieved due to memory complexity (Read this https://eprint.iacr.org/2017/847.pdf).
But the Grover's algorithm optimization proposed by Inria's researcher can achieve O(2^(n/2.5)) with a feasible memory complexity ( still need few million dollars of investment just for the classic memory ) and this algorithm has a very interesting feature, the complexity can be greatly reduced for multiple targets.
RIPDEMD160 consists of 2 parallel and independent hashes that are merged with simple additions (mod 2^32) at the end, and this can be easily exploited to create efficient multiple target attack on the 2 independent hashes RIPEMD160_1(SHA2(x)) and RIPEMD160_2(SHA2(x)).

I would have never know that signing is risky.  

Since you guys are talking about vulnerability when someone signs a bitcoin wallet address, can someone prove that by accessing the 1 BTC puzzle on this thread?

--> https://bitcointalksearch.org/topic/ok-heres-a-1btc-puzzle-5096267

The owner signed the wallet address so I want to see how you guys do it for those who are saying that there is a risk doing it. But if the only way of accessing it is using a powerful Quantum computer then I guess we are still a few years away to get our hands into QC.

 

You should claim the recompense to the Clay institute for this

You can use the magic Grover's algorithm and a partial RIPEMD160 round reversing (Biclique attack) to decrease drastically the complexity of finding collisions on RIPDEMD160(SHA2(x))

@aliashraf
I'm not saying that SHA-2 is vulnerable to all side-channel type attacks, only to meltdown attack (which is also considered as a side-channel attack) and address generation is obviously vulnerable to nearly same side-channel attacks as ECC.

Neither QC nor any other technology could ever do anything about SHA256 because its search space is astronomical and behind human technology. It is provably resistant to collision attacks up to 128 bits security, there is no way to manage a collision attack on such a huge search space. Plus, it is not used in bitcoin for authentication purposes hence its vulnerability to length extension attacks is irrelevant and finally, the best public attacks break its preimage resistance for 52 out of 64 rounds  and going just one round higher is not considered feasible with current techniques and reaching to 54 rounds is another order of magnitude harder and so on, by using sha256 twice, bitcoin practically resists 128 rounds against preimage attacks which is another astronomical resistance index.

SHA256 is not vulnerable to any form of side-channel attack because of its deterministic nature as a hash function. Above thread @Jean_Luc has argued many times that potential vulnerability of ECC to side-channel attacks is just a general property and applicable to SHA-2 as well. This is not correct, side-channel attacks are effective in cryptography when multiple outputs for the same input(s) are possible and the attacker can narrow the search space by taking advantage of her knowledge about the implementation holes.

Comparing ECC security to SHA256 and asserting that they are equally safe is simply wrong. On one side, ECC has experienced a handful of side channel attacks and belongs to a class of cryptographic algorithms that are basically vulnerable to this attack and on the other side there is a QC compatible algorithm (Shor) provably capable of solving discrete-logaritm problem in feasible polynomial time/space. Whether QC becomes commercially available or not, it proves one point: cryptographic electronic signature algorithms are transient technologies for a specific state of technology and mathematics development, unlike strong hash functions.

With quantum computing 

It is magic machine.

OK.


Yes but if you manage to reverse the address hashing function, you will be able to get a very large number of public key that match with the address and it will reduce drastically the complexity to find a matching private key.

I'm not saying QC is ready in few years, not as confused as you thanks god  

I mean QC will be developed enough sooner or later (put it few decades for instance) to break one ECC key in reasonable time window: 2 years or so e.g. A commercial QC with enough power to break a key in a long, still feasible, time window.

Look at the context, I'm arguing that breaking exposed pubkeys is the first damage that QC or any attack to ECC could ever cause.
For ordinary exposure of public keys in bitcoin transactions, the time window to cause any damage is very short and it is unlikely to have QC or any other technology coming from nowhere and managing for such a destructive attack. They'll begin with easier targets and the whole point of this discussion is discouraging bad practices that turn wallets to such targets. Period.

There it is again. The magic everything-solving-machine called quantum computer 

I like how people - who are extremely far away from that topic - believe that quantum computers are a magic machine which can solve almost any mathematical problem in a short amount of time.


So.. quantum computing will break ECDSA in like a couple years ?    Wtf dude, what did you smoke ?
Quantum computing is BY FAR not developed enough to be used for something useful yet. And it definitely won't be in 'a couple of years'..

Even if quantum computers would be ready to do that by then.. there first has to be an efficient algorithm developed. There aren't much quantum computing algorithms available yet..
It is not like you say 'Hey quantum computer, give me private key of satoshi' and 10 minutes later you get the result.. It is slightly more complicated than that.. even if non-techy people like you can't believe it..