Topic: When was a message signed. (Read 213 times)

I understand your idea, it's basically a commitment scheme that consists of two phases, commit and reveal, it's like writing a letter and putting it in a locked box, only to come in the future and reveal the key to that box, given that box has been there since 2012 for everyone to see, it's only becomes a matter of giving someone the keys so they can verify what is/was inside the message which you couldn't have changed since the box was put in place you can't access (in your example the transaction on the blockchain)

There is no parameter in the bitcoin signed message that will tell you exactly when it was signed. ECDSA does not have such a capability, and that's really all a signed message has. Like others said, the best you can do is add a date yourself, or a blockhash, or something else that could only be known at the time it was signed, to prevent backdating.

The main idea behind it is simple: you post a transaction on-chain, and then, it is possible to refer to that later. Which means, if there is some transaction from 2012, that is confirmed on-chain, which contains R-value, matching your commitment, then it is impossible, to change it now (in 2024), without re-mining all of those blocks, and changing R-value of that signature today.

Note that you don't have to make another payment, just to confirm some message, if you don't want to. It can be outsourced, one transaction is sufficient to confirm all pending commitments, regardless of their size, which means if it would be enforced on the protocol level, then mining pools can just be responsible for that, and provide that kind of service (and it would cost them zero additional on-chain bytes, because commitments could be stored by users, and they could provide just some 256-bit hashes, to be committed).

Oh, past that 100th block in your example this approach is no longer viable, if it's just a random message someone checking there would be no way to know the upper bound of the message, we would need a completely different approach to prove that after block 101 a message was indeed signed in block 50.

There should be some creative ways that won't be straightforward, maybe something like the above suggestion by vjudeu which I would need to evaluate in the time (3 am here)

Because you can write a double-spend. Which means, things are locked in, and you cannot modify something, which was committed on-chain. If you created a double-spend intentionally, and committed it into one of your signatures, then you can later reveal that commitment.

Maybe I should show you, how the whole proof could look like, if you use commitments. Getting it "technically correct" on some test network will take some time, so here is the draft:

1. Current block hash: 00000000000000000003a9044d0dffa7630a2b63b7631412cb5598eef7781488

This is easy, and can prove, that this message was written on 2024-01-03 23:09 UTC (or later, but not before that).

2. Transaction hash: 576a95899c537e861cac07d294228b703297938310b9d780aaef2bf28a6ab8bf

Then, you make sure, that this transaction is present on-chain, it is valid, and confirmed. You find my signature, and extract it:
And then, you look at R-value of that signature, and convert it into Taproot address: bc1pr2rp24s6rrauya94rkz09833rm5nm53y94t3q9yms93gdwccnyxsxseupy

Then, if I can provide you any matching TapScript, in that case I can include any proof. Which means, if that R-value was random, then I would be able to spend by key, but not by TapScript. But if I prepared it intentionally before, then I could reveal a TapScript, for example with 'OP_RETURN "Here is my proof"'. In that case, it would be impossible to abuse it, and post that commitment on-chain (because it starts with OP_RETURN), but at the same time, it would be possible, to prove later, that I didn't generate that message in 2028, because it would require going back into 2024, and modifying R-value of that specific transaction.

How does this prove you didn't sign the message after tomorrow night?

Let me confirm your thought:

• Include the current block hash to the message. This ensures you can't have signed it prior the current block's time.
• Create a transaction that cannot be mined until the next 100th block.
• Include its TXID to the message.
• Sign the message and tell everyone to wait up until that block.

So, how can people who see the message after that 100th block verify it was signed before it?

You can, but only if you plan a head before signing the message, otherwise, it's not possible.


You can use time-locked transaction to prove that you signed a message between two time intervals.

Say I have to sign a message tomorrow (not earlier and not later than tomorrow)

1- prove the lower bound on the signing time:

- I include the block hash of the first block tomorrow (this proves I couldn't have signed the message earlier than tomorrow)

2-prove the upper bound on the signing time

- I include the txid for a time-locked transaction that only unlocks tomorrow night which has not been included in a block yet (this proves I did not sign the message after tomorrow)

Given that not every node's clock is synced well with the rest, you are going to count on 'Bitcoin's Median Time Past', so this can't be narrowed down to the exact second, but is somewhat accurate.

Well, maybe not everything is lost. If you used some HD wallet (BIP-32 was created on 2012-02-11), or if you can gather the source of entropy, which was used to generate some transactions back then, in 2012, then this could be enough to prove, that your node generated a given transaction or address in the past. But I guess it is not easy, to recover that kind of information.

You cannot know when a message was signed, for the same reason you cannot know when key pairs (public key, private key) were generated; these are timeless operations. You can only prove that a message was signed after a certain date.

This does not preclude the possibility that you might have signed the message years before and are now publishing the signature.

You would need a reference regardless, to show as the proof, either it could be a third party, which would require that third party to be trusted to vouch for the time it saw your message or you could use crypto-mojo as mentioned by our friends.

However there is a simple non technical solution, just post half of the signature on a social media, or post on forum asking someone to quote it for you, plus many other ways, but I'm guessing this is related to puzzles, right?

It is better to tweak R-value of the signature, because then, nobody knows, if any commitment is included to a given transaction, or not.

Thank you i will be careful next times

Just sign an encrypted message. It will be broadcasted on the blockchain and nobody will read it. Once the time has come, just give us the decryption key. And we will read it then.

There is no way to alter the blockchain. And this is why Bitcoin is strong and secure

Edit: what vjudeu said does exactly what you want.

You don't need to include the message explicitly. All that is needed, is just replacing one random signature, with another random signature, with some offset. Then, it will be possible later to prove, that a given data is connected with a given signature, without revealing that data as a plain text, in the moment of creating it.

Which means, you can create a TapScript, with the content of "OP_RETURN ", and then convert your Taproot address, into R-value of your signature, and sign it. And because R-value of each signature, is just some public key, you can do so, with any address type you want, including P2PK.

Regarding broadcasting a message does it reveal it to the public anyone can see it without providing him the details of it? If yes its a problem. It should remain private but only expose when needed.

But again, you say it should be added to the code. How? I mean it existed in the code back then, but you didn't do it. I don't blame you, I just say that I don't think it's bitcoin's malfunction. The way blockchain works, as vjdue said, you would need to re-mine all these blocks. But these blocks have thousands of validations and confirmations... So...

Yes, that is exactly what i want to do. Impossible as you said.

Signing and Broadcasting are 2 completely different actions. Signing means you prove that you own a message. If you want to let people know when the message was signed you need to include it in the blockchain and broadcast it in a block.

At the same time, I don't understand what you wanna do. Did you sign a message in 2012 and you want to prove now that you signed it back then?

Because if so, you need to include it in a block mined in 2012. Which is impossible.

Oh, so what you want, is not a signature, but rather a commitment. Which means, you should instead point to your old transaction, for example from 2012, and reveal the data, that will match R-value of the public key, used in your signature.

And in that case, you can do that today, but not in 2012, because you would need to re-mine all blocks from 2012 to this date, to fake that kind of proof.

And yes, commitments cost money, but you can also ask someone to include a commitment to his transaction, because it would take zero additional on-chain bytes, because it is just about replacing one 256-bit number with another 256-bit number, so the size of the transaction stays the same.

I can sign a message like this right now with 2012 details. It still doesnt confirm it was signed in 2012. The point is the blockchain doesnt show when this message was signed or there was btc contract call to sign in a specific date.

Something like this must be added to the btc code.

Just sign something like this:

You can sign a message today that shows it was signed years ago. This means there's no any kind of proofs to prove q date of an old signed message?

Just include a block hash in your message. Then, it is guaranteed, that is was generated at that date, or later.

(and you can include something that has some confirmations, just to be safe from potential chain reorganizations)

How to verify to a court when was a bitcoin message signed any thing that proofs?