## If someone wanted to pretend to be Satoshi by posting a fake signature to defraud people how could they?

75

18

If a random fraudster wanted to post a bunch of mysterious ECDSA signatures that the public would believe came from Bitcoin's creator, in order to disrupt the Bitcoin market, extract money from people, or otherwise convince people to listen to them. How could they do that?

73

Unfortunately, given the public's limited of understanding of cryptography this is apparently an easy fraud to pull off.

The key trick is that non-technical people are prone to believe things that just sound jargony enough and that technical people tend to think they know a lot more than they actually do-- and so they're easily sent off into the weeds.

In cryptosystems the details are more important than you could possibly imagine. So all you have to do is make a forgery that works for a slightly modified cryptosystem and then lots of people who THINK they understand how ECDSA works will rush out to claim the result holds.

Most modifications that you can think of are sufficient to make the scheme insecure.

So, for example, a couple years ago Craig Wright claimed to 'prove he was Satoshi' by simply copying some pre-existing signatures out of the blockchain and posting somewhat obfuscated instructions on verifying them. It was figured out pretty quickly, but still managed to fool a lot of people-- they were too caught up in the mumbojumbo to think of the obvious. The "modification" in this case was that the message the scammer was claiming to sign just has no relationship to the message that was actually signed.

More recently it appears that someone attempted something similar again, but this time with 'signatures' that weren't from the blockchain... resulting in 'verification' from the developers of some BCH clients to an engineer at RedHat. But it turns out that, again, that the attempt was fake and people's partial but incomplete understanding of crypto burned them.

As Bitcoin developer Pieter Wuille notes "ECDSA signatures where the message isn't a hash and chosen by the "signer" are insecure."-- this time the scammer just published 'hash', r, s tuples. The hash part of ECDSA is integral to the algorithm. If the verifier doesn't run the hash themselves, the security properties of ECDSA don't hold and an existential forgery becomes trivial.

[This same vulnerability was baked into the original OP_DSV opcode in BCH-- it originally didn't hash the incoming data but left that up to the user-- but I reported it and they appear to have fixed it before deploying it.]

If the verifier doesn't perform the hash himself but just accepts a value given by the signer, he becomes susceptible to the following: Given public key P, pick random nonzero values a and b. Compute R=aG+bP. Now (R.x, R.x/b) is a valid signature under key P for "message-hash" (R.x*a/b).

This doesn't compromise the security of real ECDSA because you cannot find a message that hashes to a chosen (R.x*a/b) value.

People should be wary of obfuscated or overly technical 'proofs', -- things that look "like" a secure system but for some reason have people verifying it working with raw numbers or code. Well designed cryptographic software put in a lot of effort to avoid users being fooled by stunts like this. This stuff is tricky and anyone could be confused into accepting a false proof if they were convinced to effectively implement a bespoke cryptosystem themselves. A cryptosystem is not secure simply because you, personally, don't see how to break it.

Here an an example Sage script to produce forgeries that will fool someone that accepts an ECDSA 'signature' without hashing the message themselves. It works with any EC key, including one that the forger hasn't seen a signature from before.

F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
C = EllipticCurve ([F (0), F (7)])
G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
N = FiniteField (C.order())
P = P=-C.lift_x(0x11db93e1dcdb8a016b49840f8c53bc1eb68a382e97b1482ecad7b148a6909a5c) # block 9 coinbase payout key.
def forge(c, a=-1):  # Create a forged 'ECDSA'  (hashless) signature
# set a to something other than -1 to be less obvious
a = N(a)
R = c*G + int(a)*P
s = N(int(R.xy()[0]))/a
m = N(c)*N(int(R.xy()[0]))/a
print 'hash1 = %d'%m
print 'r1 = %d'%(int(R.xy()[0]))
print 's1 = %d'%s
for c in range(1,10):
forge(c)


This code produces fake forgeries of the sort that was used to trick people recently.

hash1 = 25292222169426362969760742810503101183086560848420849767135309758511048414376
r1 = 61518691557461623794232686914770715342344584505217074682876722883231084339701
s1 = 54273397679854571629338298093917192510492979773857829699728440258287077154636


why do you answer your own question? – Jerry Gao – 2018-11-17T23:21:31.423

17That's perfectly allowed on this site. Good questions and good answers are always welcome. – Jannes – 2018-11-17T23:44:52.733

it's impossible to fake signature. – Jerry Gao – 2018-11-18T00:30:12.547

7@Jerry Gao: G. Maxwell does not claim that you can fake signatures. He is explaining how someone could be tricked into thinking something was a real signature while it isn't – Pieter Wuille – 2018-11-18T03:35:57.607

what is G. Maxwell‘s claim? @pieter-wuille – Jerry Gao – 2018-11-18T08:54:23.300

2Mind boggles. What on earth would posses someone to even attempt to write code to determine "is this a valid signature of something" rather than "is this a valid signature of that"? Never mind that the answer they get for the former question is wrong; why is it even a question one would want to ask? – hmakholm left over Monica – 2018-11-18T14:49:18.133

6@HenningMakholm: Recently a well-known figure in Bitcoin space has released ECDSA signatures for an unknown message claiming that he'd reveal the message later. They were apparently expecting that people would assume that the signature would convince others of owning the corresponding private key. – Murch – 2018-11-18T15:24:33.643

1@Murch: I see. In light of the first few paragraphs in the answer that does make some sense. – hmakholm left over Monica – 2018-11-18T15:29:43.427

1@Murch This is a good post and an important contribution but it should be edited to clear out personal attacks and condescending language. A technical answer is all we need here, calling the entire community stupid is out of line for SE. – pinhead – 2018-11-18T16:12:13.820

4@HenningMakholm If you think about it, Digital signatures are kind of misnamed. A traditional signature doesn't do anything to bind the document it's written on, besides being written on it. A digital signature works a little more like a wax seal. :) In any case, for some reason an awful lot of people seem to get convinced by the 'signature of something' stated in proximity-- maybe following from a borrowed intuition of traditional signatures. – G. Maxwell – 2018-11-18T16:30:38.780

3@pinhead in no way does OP say that. Belittling accurate, truthful and technical posts by portraying them as offensive is a very common tactic in this space. Don't fall for that. People that don't know something (let alone an "entire community") are in no way being called stupid. – Jannes – 2018-11-18T16:44:50.630

OP_DSV opcode can still be attacked by H(m) == m !!!! – Jerry Gao – 2018-11-19T12:54:30.397

@JerryGao: If you have a question about OP_DSV, please feel free to open another topic. – Murch – 2018-11-19T15:14:07.900