Some magic? | Bitcointalksearch.org

arubi

jr. member

Activity: 31

Merit: 1

All 4 in the begnning are the same ( r=1, s=1), and all 8 afterwards are the same (r=4, s=4):

Code:

1b 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004
1f 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004
1c 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004
20 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004
1d 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004
21 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004
1e 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004
22 0000000000000000000000000000000000000000000000000000000000000004 0000000000000000000000000000000000000000000000000000000000000004

The first byte is something Core prepends to the signature, but is not part of it (it is not signed also)

amaclin

legendary

Activity: 1260

Merit: 1019

I do not know how the digest is calculated for bitcoin messages.
But your eight signatures do not seem "the same".
So, this is not real magic Grin

arubi

jr. member

Activity: 31

Merit: 1

How about some more related magic?

Code:

bitcoin-cli -testnet verifymessage n3pipvo2QLdpA7fT6rdxpK4SwtQMU7NjTW HwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE= "more magic!"

But also..

Code:

moRMb9NywwQK11DGACpbyCnF9PHUYi4T8j GwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE= "more magic!"

And even..

Code:

mhiPJJ6S8a4esoZ5vg7sLr8CUQ4ucAiJh4 IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE= "more magic!"
mmXG3SFKMh97itFinputYGmTTamZ6aNWuW HAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE= "more magic!"

Four addresses that return true for validating the same signature and message, this is expected, but then...

Code:

mfrhby2UMRhbRtH9b6eojUzJmKz2Cv3jeZ GwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"
mkgdQagihvyJ4p22iXuow9JefTfJMdEH1d HwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"
mxAbUQiehf7nNcxLQ7snrbwu2qA9qKSeEG HAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"
mzYEkoB9Mh4N376U4gVwL2MvQw9sJT1GB7 IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"
miZSVBRAYM6M6YauJP9oF8jnsCewQjNDrU HQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"
mtbsZRThdRAX3A95HqhqQPiqQEntaHu5jj IQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"
myJ2iF9WxfMmi71B25jMVX9wVzfkHiG9mg HgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"
mg28w5mhexA31huumnBVX4VvR9fRupSWot IgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ= "even more magic!"

arubi

jr. member

Activity: 31

Merit: 1

Quote from: amaclin on January 11, 2017, 06:31:36 AM

Quote from: arubi on January 11, 2017, 06:26:38 AM

So no actual checksig is being done, it's just push only script that anyone can spend (by knowing the preimage to the hash160 of the p2sh address!).

checksig is there

try to

Code:

decodescript 093006020101020101017CAC

because this script is also executed

Ah of course, my bad

I mistreated the whole script as the redeemscript.

2N1L2bubWhfQd7ZkV31fw9VnFt45bHGZ39n == p2sh(093006020101020101017CAC)

You're correct.

amaclin

legendary

Activity: 1260

Merit: 1019

Quote from: arubi on January 11, 2017, 06:26:38 AM

So no actual checksig is being done, it's just push only script that anyone can spend (by knowing the preimage to the hash160 of the p2sh address!).

checksig is there

try to

Code:

decodescript 093006020101020101017CAC

because this script is also executed

arubi

jr. member

Activity: 31

Merit: 1

mw1vkYok3eGrccuMx5Ztbj3RH6Pyrb8b8z ILuXAeNs5Huml35IlLrDRP2aMTjdSOH7Lcx2NzN6xdy1fvNlcluhEQdlcOE8l4TmsX5pXmvC/dXoa/pMenmBBx8= "thank you gmaxwell for passing this message for me: https://bitcointalksearch.org/topic/m.17330531. I have registered 'arubi' in bitcointalk."

Quote from: amaclin on January 08, 2017, 09:06:00 AM

even more ~~fucking~~ magic here:
testnet address: 2N1L2bubWhfQd7ZkV31fw9VnFt45bHGZ39n

I've spent couple of days to resolve the same problem as
https://github.com/bitcoin-core/secp256k1/issues/419
and finally got it
https://testnet.smartbit.com.au/tx/c6c232a36395fa338da458b86ff1327395a9afc28c5d2daa4273e410089fd433

~~The redeemScript in your transaction is :~~

Code:

21026D2204A9535443657A88A0724FBD49A0E78D305F50A82F2CC9DD9BEA10A6C5CD0C093006020101020101017CAC

~~Which is really :~~

Code:

0x21 026D2204A9535443657A88A0724FBD49A0E78D305F50A82F2CC9DD9BEA10A6C5CD
0x0C 093006020101020101017CAC

~~So no actual checksig is being done, it's just push only script that anyone can spend (by knowing the preimage to the hash160 of the p2sh address!)~~.

DuddlyDoRight

sr. member

Activity: 318

Merit: 260

You could probably make an attack using this by just implementing a passive handler in some mining software and having decent throughput to increase probability of being first if anyone ever uses it.

I was looking in to similar stuff a while back when I was basically fuzzing whitelisted blockchain scripts.. It kind of falls under the throughput prerequisite like double spending does though..

It'd probably be a waste of time though because only devs would put something like this out there and they wouldn't do it with anything profitable.. An attacker would be better off looking for memory corruption in block handlers of popular wallet software..

amaclin

legendary

Activity: 1260

Merit: 1019

even more ~~fucking~~ magic here:
testnet address: 2N1L2bubWhfQd7ZkV31fw9VnFt45bHGZ39n

I've spent couple of days to resolve the same problem as
https://github.com/bitcoin-core/secp256k1/issues/419
and finally got it
https://testnet.smartbit.com.au/tx/c6c232a36395fa338da458b86ff1327395a9afc28c5d2daa4273e410089fd433

gmaxwell

staff

Activity: 4284

Merit: 8808

Arubi doesn't have a bitcointalk account, and saw others being blamed for their transaction and asked me to post this:

Code:

mw1vkYok3eGrccuMx5Ztbj3RH6Pyrb8b8z H5Fm9/Ejebxv5KybIf+hUgGcubVp3B6bxcl7RVMLUS7EABFn75VsV+S+sNW5Oc02M/awPv8tHAeIS+PJtU5qVyA= "I am not amaclin :) : https://gist.github.com/fivepiece/f39de978f5fb94b08b54f33db5e42d9a  -  arubi"

piotr_n

legendary

Activity: 2053

Merit: 1356

aka tonikt

I found it interesting.
Thanks for starting this topic, @amaclin

It intrigued me how one can make a valid signature before having the message.
Thanks for explaining, @gmaxwell

amaclin

legendary

Activity: 1260

Merit: 1019

Quote from: DannyHamilton on December 28, 2016, 10:32:09 AM

But it wouldn't be the first time you posted something here wanting someone to explain

Is it forbidden by national laws, forum rules or religious ethics? Grin

Let's assume that I am a school teacher.
Most of teachers ask the questions already knowing the answers.
The best of them ask questions without a knowledge of correct answer.

The point is to teach the students about something new and interesting.
If you are not interested in bitcoin script abilities you can chat in 'Marketplace' section
of this forum about bitcoin price on exchanges.

By the way.
Can you explain in terms of addition/multiplication on EC how to create such address?
I am still looking for the answer.

DannyHamilton

legendary

Activity: 3472

Merit: 4801

Quote from: amaclin on December 28, 2016, 02:24:41 AM

Quote from: DannyHamilton on December 27, 2016, 08:28:35 PM

amaclin already knew all of this,

Not all, but the best way to study and teach is asking questions.

Quote from: DannyHamilton on December 27, 2016, 08:28:35 PM

and almost certainly created this transaction himself.

You are wrong.

Perhaps. Perhaps not. But it wouldn't be the first time you posted something here wanting someone to explain what you created rather than explaining it yourself.

Quote from: amaclin on December 28, 2016, 02:24:41 AM

You can google the txid and find the creator. His nickname is "arubi"

Certainly, but I can't tell whether you are "arubi" or not.

amaclin

legendary

Activity: 1260

Merit: 1019

Quote from: DannyHamilton on December 27, 2016, 08:28:35 PM

amaclin already knew all of this,

Not all, but the best way to study and teach is asking questions.

Quote from: DannyHamilton on December 27, 2016, 08:28:35 PM

and almost certainly created this transaction himself.

You are wrong.
You can google the txid and find the creator. His nickname is "arubi"

DannyHamilton

legendary

Activity: 3472

Merit: 4801

Quote from: gmaxwell on December 26, 2016, 05:38:33 PM

An ECDSA signature itself does not prove knowledge of a discrete log.

You can pick a random message and a random signature then compute the public key this signature,message pair would be valid for.

To accomplish this, you must-- of course-- make sure the message does not contain any commitment to the public key.

Bitcoin's signatures include a commitment to the scriptPubkey-- but nothing requires you to have the EC public key there.

This cute construction is not secure: if you'd seen that txn before confirmation you could have modified the destination and computed a new pubkey.

If you take a look at Roconnor's covenants post you'll see he uses the same kind of pubkey recovery to turn checksig into an operation for verifying a hash of the masked transaction-- which otherwise the script doesn't have access to.

amaclin already knew all of this, and almost certainly created this transaction himself.

Thank you for taking the time to explain it to everyone else that looks at this thread.

gmaxwell

staff

Activity: 4284

Merit: 8808

An ECDSA signature itself does not prove knowledge of a discrete log.

You can pick a random message and a random signature then compute the public key this signature,message pair would be valid for.

To accomplish this, you must-- of course-- make sure the message does not contain any commitment to the public key.

Bitcoin's signatures include a commitment to the scriptPubkey-- but nothing requires you to have the EC public key there.

This cute construction is not secure: if you'd seen that txn before confirmation you could have modified the destination and computed a new pubkey.

If you take a look at Roconnor's covenants post you'll see he uses the same kind of pubkey recovery to turn checksig into an operation for verifying a hash of the masked transaction-- which otherwise the script doesn't have access to.

amaclin

legendary

Activity: 1260

Merit: 1019

Can anyone explain the ~~magic~~ math in this transaction? Shocked

0895e97e9c4ce7ebe04e15e0835bb0788053fbfdbbb2f3f25f81631687d7b857

https://test.webbtc.com/script/0895e97e9c4ce7ebe04e15e0835bb0788053fbfdbbb2f3f25f81631687d7b857:0

Code:

OP_DUP
OP_HASH160
2ffb13a67da34b06da4297d9dc25e5953e658a7b
OP_EQUALVERIFY
OP_SWAP
OP_CHECKSIG

(I am too lazy to research everything myself. But this transaction is the most beautiful one in the blockchain I think)

Topic: Some magic? (Read 1923 times)