Skip to content

Instantly share code, notes, and snippets.

@fivepiece
Last active November 4, 2020 01:30
Show Gist options
  • Save fivepiece/f39de978f5fb94b08b54f33db5e42d9a to your computer and use it in GitHub Desktop.
Save fivepiece/f39de978f5fb94b08b54f33db5e42d9a to your computer and use it in GitHub Desktop.
self signed sigs in btc tx
self signed signature in a bitcoin transaction
variables:
P - pubkey for op_checksig
d - discrete log for P
k - nonce used in signing
R - public point, discrete log is k
r, s - signature
m - transaction sighash
1. choose k, choose s
k = 9591D12AB6ED4CF74B6B660128CA6C18937F2493DC71EF30D89A55270C5573BF
s = 2B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE
2. calculate R
ecmul(9591D12AB6ED4CF74B6B660128CA6C18937F2493DC71EF30D89A55270C5573BF)
# ecmul
# X : E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F93
# Y : 9607543E15F426156259894CCFCE7DAD71A32692F27082DC4605F9382439EF37
3. calcualte r
mod(E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F93,n)
r = E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F93
(R.x == r because R.x < n)
4. make r,s into a proper DER encoded signature
3045022100E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F9302202B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE
5. append sighash type byte ALL ( 0x01 )
3045022100E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F9302202B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE01
6. hash160 the signature||ALL string
786FEA0912DA9E3BAB08BC7EE21C0053ACA84834
7. make the scriptpubkey
DUP HASH160 <hash160(signature)> EQUALVERIFY SWAP CHECKSIG
76A914786FEA0912DA9E3BAB08BC7EE21C0053ACA84834887CAC
8. wrap the scritpubkey in p2sh to make the address
hash160(scriptpubkey) :
3ECAA28CF126A4FB9BB42B73A8B21583C1ED6658
HASH160 <hash160(scriptpubkey)> EQUAL :
A9143ECAA28CF126A4FB9BB42B73A8B21583C1ED665887
address:
2MxyEdW3Jhr9RUjHHU9zeuY1WVtQUhjw3Em
9. get an input to fund the address
in : '[{"txid":"0487cc19b31798b79b0033e457239b875e8f81d16ad2c2c30a8cbe175ddb8d9f","vout":1}]'
out : '{"2MxyEdW3Jhr9RUjHHU9zeuY1WVtQUhjw3Em":"0.91932792"}'
10. create a transaction paying to the p2sh address, and broadcast it
02000000019f8ddb5d17be8c0ac3c2d26ad1818f5e879b2357e433009bb79817b319cc8704010000006b483045022100afd5b1b5cff45ffe352d801e1a884cb42353e1e9bfc48aee8ba7ba474ae7034e022043589c29a3588ad2432aae0dbd0fa4b682c60c62fc1504c095e01b8b2472dfee012103a94eb94f1a1453301961e42c43ecfef54dad387dca0d5a25bf35c59b9f23f4a4ffffffff0178c87a050000000017a9143ecaa28cf126a4fb9bb42b73a8b21583c1ed66588700000000
txid : 0ea5595f97a6c549711447333c7d6c3696de8f93de781af14f4f870c2579056c
11. get a new address to use as the recipient
n3owYGPZzw2tPnX4ZwJJDvTKDqhzd8duHg
12. begin assembling the redeeming transaction, the previous tx as input
in : '[{"txid":"0ea5595f97a6c549711447333c7d6c3696de8f93de781af14f4f870c2579056c","vout":0}]'
out : '{"n3owYGPZzw2tPnX4ZwJJDvTKDqhzd8duHg":"0.91908773"}'
02000000016c0579250c874f4ff11a78de938fde96366c7d3c3347147149c5a6975f59a50e0000000000ffffffff01a56a7a05000000001976a914f48935588356b8de00f22e585099667f4f350ca688ac00000000
13. add the signature as a data output
02000000016c0579250c874f4ff11a78de938fde96366c7d3c3347147149c5a6975f59a50e0000000000ffffffff02a56a7a05000000001976a914f48935588356b8de00f22e585099667f4f350ca688ac00000000000000004a6a483045022100e60bb3880002d7aab591313aee9329acd7bf853afc698462243cc1e46e721f9302202b7e151628aed2a6abf7158809cf4f3c762e7160f38b4da56a784d9045190cfe0100000000
14. assemble the redeeming transaction's midstate
02000000
01
6C0579250C874F4FF11A78DE938FDE96366C7D3C3347147149C5A6975F59A50E
00000000
1A
76 A9 14 786FEA0912DA9E3BAB08BC7EE21C0053ACA84834 88 7C AC
FFFFFFFF
02
A56A7A0500000000
19
76 A9 14 F48935588356B8DE00F22E585099667F4F350CA6 88 AC
0000000000000000
4A
6A 48 3045022100E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F9302202B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE01
00000000
01000000
15. hash256 the midstate to get sighash
z = D704348E246CA8AC41CC11C052B7DE326A64D7A0E525E46BA7156E86951D6EEF
13. sign^H^H^H^H perform public key recovery on the signature and sighash and choose either of the pubkeys
recover(z,r,s)
# recover
# X1 : 9CB019AB6BE9DEDAA5682E1EF11E00E2114309B65C238D81A8283D927EAA9CA6
# Y1 : 4E793572BF6C2B1D0855CFA6BDBA31655FC76BD282FA3DF3FE21009D64E6B835
#
# X2 : D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437
# Y2 : EE3CAF888D1A14BC16DE9AC04BB032D22BC234363EEC31894589A2E15BF50747
pubkey : 03D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437
16. assemble the redeeming transaction
scriptsig :
0x21 03D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437
0x48 3045022100E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F9302202B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE01
0x1A 76A914786FEA0912DA9E3BAB08BC7EE21C0053ACA84834887CAC
complete tx :
02000000
01
6C0579250C874F4FF11A78DE938FDE96366C7D3C3347147149C5A6975F59A50E
00000000
86
21
03D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437
48
30
45
02
21 00E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F93
02
20 2B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE
01
1A
76A914786FEA0912DA9E3BAB08BC7EE21C0053ACA84834887CAC
FFFFFFFF
02
A56A7A0500000000
19
76 A9 14 F48935588356B8DE00F22E585099667F4F350CA6 88 AC
0000000000000000
4A
6A 48 3045022100E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F9302202B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE01
00000000
17. broadcast!
02000000016C0579250C874F4FF11A78DE938FDE96366C7D3C3347147149C5A6975F59A50E00000000862103D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437483045022100E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F9302202B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE011A76A914786FEA0912DA9E3BAB08BC7EE21C0053ACA84834887CACFFFFFFFF02A56A7A05000000001976A914F48935588356B8DE00F22E585099667F4F350CA688AC00000000000000004A6A483045022100E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F9302202B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE0100000000
txid : 62ceac65c7e39ff2a64b1feeb650d13c86e1e859e2d6019feaf24ef952710e65
----
* bonus
can we get the private key for 03D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437 ?
((+-)s*k - z) * 1/r % n
d1 = 911ED7109C4F07D577D271AA5D324574257AB0263B1A038CFF44237E2F7E41B3
d2 = 33CDE7245693FD64E81D7E0FDBC9EA7D1F59E4C0F9EC643274EB5F327A9BF709
ecmul(33CDE7245693FD64E81D7E0FDBC9EA7D1F59E4C0F9EC643274EB5F327A9BF709)
# ecmul
# X : D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437
# Y : EE3CAF888D1A14BC16DE9AC04BB032D22BC234363EEC31894589A2E15BF50747
pubkey : 03D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437
we can do this because we know k.
even with all of this, did we need to choose a k at all?
we could have just used any valid point's X value for r.
this is why the transaction is an anyonecanspend.
once the input for the redeemscript is revealed on the network (the signature), anyone can change the outputs of the transaction and repeat steps 12 - 17.
this double spend will be using a different public key for op_checksig (step 13, different z), and this could all be done without knowing any of the discrete logs.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment