fivepiece · November 4, 2020 01:30
diff --git a/sssbtctx.txt b/sssbtctx.txt
 self signed signature in a bitcoin transaction

 variables:

 P - pubkey for op_checksig
 d - discrete log for P

 k - nonce used in signing
 R - public point, discrete log is k
 r, s - signature
 m - transaction sighash


 1. choose k, choose s

 k = 9591D12AB6ED4CF74B6B660128CA6C18937F2493DC71EF30D89A55270C5573BF
 s = 2B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE

 2. calculate R

 ecmul(9591D12AB6ED4CF74B6B660128CA6C18937F2493DC71EF30D89A55270C5573BF)

 # ecmul
 # X : E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F93
 # Y : 9607543E15F426156259894CCFCE7DAD71A32692F27082DC4605F9382439EF37

 3. calcualte r

 mod(E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F93,n)
 r = E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F93

 (R.x == r because R.x < n)

 4. make r,s into a proper DER encoded signature

 3045022100E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F9302202B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE

 5. append sighash type byte ALL ( 0x01 )

 3045022100E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F9302202B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE01

 6. hash160 the signature||ALL string

 786FEA0912DA9E3BAB08BC7EE21C0053ACA84834

 7. make the scriptpubkey

 DUP HASH160 <hash160(signature)> EQUALVERIFY SWAP CHECKSIG

 76A914786FEA0912DA9E3BAB08BC7EE21C0053ACA84834887CAC

 8. wrap the scritpubkey in p2sh to make the address

 hash160(scriptpubkey) :
 3ECAA28CF126A4FB9BB42B73A8B21583C1ED6658

 HASH160 <hash160(scriptpubkey)> EQUAL :
 A9143ECAA28CF126A4FB9BB42B73A8B21583C1ED665887

 address:
 2MxyEdW3Jhr9RUjHHU9zeuY1WVtQUhjw3Em

 9. get an input to fund the address

 in  : '[{"txid":"0487cc19b31798b79b0033e457239b875e8f81d16ad2c2c30a8cbe175ddb8d9f","vout":1}]'
 out : '{"2MxyEdW3Jhr9RUjHHU9zeuY1WVtQUhjw3Em":"0.91932792"}'

 10. create a transaction paying to the p2sh address, and broadcast it

 02000000019f8ddb5d17be8c0ac3c2d26ad1818f5e879b2357e433009bb79817b319cc8704010000006b483045022100afd5b1b5cff45ffe352d801e1a884cb42353e1e9bfc48aee8ba7ba474ae7034e022043589c29a3588ad2432aae0dbd0fa4b682c60c62fc1504c095e01b8b2472dfee012103a94eb94f1a1453301961e42c43ecfef54dad387dca0d5a25bf35c59b9f23f4a4ffffffff0178c87a050000000017a9143ecaa28cf126a4fb9bb42b73a8b21583c1ed66588700000000

 txid : 0ea5595f97a6c549711447333c7d6c3696de8f93de781af14f4f870c2579056c

 11. get a new address to use as the recipient

 n3owYGPZzw2tPnX4ZwJJDvTKDqhzd8duHg

 12. begin assembling the redeeming transaction, the previous tx as input

 in  : '[{"txid":"0ea5595f97a6c549711447333c7d6c3696de8f93de781af14f4f870c2579056c","vout":0}]'
 out : '{"n3owYGPZzw2tPnX4ZwJJDvTKDqhzd8duHg":"0.91908773"}'

 02000000016c0579250c874f4ff11a78de938fde96366c7d3c3347147149c5a6975f59a50e0000000000ffffffff01a56a7a05000000001976a914f48935588356b8de00f22e585099667f4f350ca688ac00000000

 13. add the signature as a data output

 02000000016c0579250c874f4ff11a78de938fde96366c7d3c3347147149c5a6975f59a50e0000000000ffffffff02a56a7a05000000001976a914f48935588356b8de00f22e585099667f4f350ca688ac00000000000000004a6a483045022100e60bb3880002d7aab591313aee9329acd7bf853afc698462243cc1e46e721f9302202b7e151628aed2a6abf7158809cf4f3c762e7160f38b4da56a784d9045190cfe0100000000

 14. assemble the redeeming transaction's midstate

 02000000
 01
  6C0579250C874F4FF11A78DE938FDE96366C7D3C3347147149C5A6975F59A50E
  00000000
  1A
    76 A9 14 786FEA0912DA9E3BAB08BC7EE21C0053ACA84834 88 7C AC
  FFFFFFFF

 02
  A56A7A0500000000
  19
    76 A9 14 F48935588356B8DE00F22E585099667F4F350CA6 88 AC

  0000000000000000
  4A
    6A 48 3045022100E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F9302202B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE01
 00000000
 01000000

 15. hash256 the midstate to get sighash

 z = D704348E246CA8AC41CC11C052B7DE326A64D7A0E525E46BA7156E86951D6EEF

 13. sign^H^H^H^H perform public key recovery on the signature and sighash and choose either of the pubkeys

 recover(z,r,s)

 # recover
 # X1 : 9CB019AB6BE9DEDAA5682E1EF11E00E2114309B65C238D81A8283D927EAA9CA6
 # Y1 : 4E793572BF6C2B1D0855CFA6BDBA31655FC76BD282FA3DF3FE21009D64E6B835
 #
 # X2 : D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437
 # Y2 : EE3CAF888D1A14BC16DE9AC04BB032D22BC234363EEC31894589A2E15BF50747

 pubkey : 03D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437

 16. assemble the redeeming transaction

 scriptsig :

 0x21 03D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437

 0x48 3045022100E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F9302202B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE01

 0x1A 76A914786FEA0912DA9E3BAB08BC7EE21C0053ACA84834887CAC

 complete tx :

 02000000
 01
  6C0579250C874F4FF11A78DE938FDE96366C7D3C3347147149C5A6975F59A50E
  00000000
  86
    21
      03D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437
    48
      30
      45
        02
        21 00E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F93
        02
        20 2B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE
      01
    1A
      76A914786FEA0912DA9E3BAB08BC7EE21C0053ACA84834887CAC
  FFFFFFFF

 02
  A56A7A0500000000
  19
    76 A9 14 F48935588356B8DE00F22E585099667F4F350CA6 88 AC

  0000000000000000
  4A
    6A 48 3045022100E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F9302202B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE01
 00000000

 17. broadcast!

 02000000016C0579250C874F4FF11A78DE938FDE96366C7D3C3347147149C5A6975F59A50E00000000862103D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437483045022100E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F9302202B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE011A76A914786FEA0912DA9E3BAB08BC7EE21C0053ACA84834887CACFFFFFFFF02A56A7A05000000001976A914F48935588356B8DE00F22E585099667F4F350CA688AC00000000000000004A6A483045022100E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F9302202B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE0100000000

 txid : 62ceac65c7e39ff2a64b1feeb650d13c86e1e859e2d6019feaf24ef952710e65


 ----

 * bonus

 can we get the private key for 03D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437 ?

 ((+-)s*k - z) * 1/r % n

 d1 = 911ED7109C4F07D577D271AA5D324574257AB0263B1A038CFF44237E2F7E41B3
 d2 = 33CDE7245693FD64E81D7E0FDBC9EA7D1F59E4C0F9EC643274EB5F327A9BF709

 ecmul(33CDE7245693FD64E81D7E0FDBC9EA7D1F59E4C0F9EC643274EB5F327A9BF709)

 # ecmul
 # X : D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437
 # Y : EE3CAF888D1A14BC16DE9AC04BB032D22BC234363EEC31894589A2E15BF50747

 pubkey : 03D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437

 we can do this because we know k.

 even with all of this, did we need to choose a k at all?
 we could have just used any valid point's X value for r.

 this is why the transaction is an anyonecanspend.
 once the input for the redeemscript is revealed on the network (the signature), anyone can change the outputs of the transaction and repeat steps 12 - 17.
 this double spend will be using a different public key for op_checksig (step 13, different z), and this could all be done without knowing any of the discrete logs.
	self signed signature in a bitcoin transaction

	variables:

	P - pubkey for op_checksig
	d - discrete log for P

	k - nonce used in signing
	R - public point, discrete log is k
	r, s - signature
	m - transaction sighash


	1. choose k, choose s

	k = 9591D12AB6ED4CF74B6B660128CA6C18937F2493DC71EF30D89A55270C5573BF
	s = 2B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE

	2. calculate R

	ecmul(9591D12AB6ED4CF74B6B660128CA6C18937F2493DC71EF30D89A55270C5573BF)

	# ecmul
	# X : E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F93
	# Y : 9607543E15F426156259894CCFCE7DAD71A32692F27082DC4605F9382439EF37

	3. calcualte r

	mod(E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F93,n)
	r = E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F93

	(R.x == r because R.x < n)

	4. make r,s into a proper DER encoded signature

	3045022100E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F9302202B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE

	5. append sighash type byte ALL ( 0x01 )

	3045022100E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F9302202B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE01

	6. hash160 the signature\|\|ALL string

	786FEA0912DA9E3BAB08BC7EE21C0053ACA84834

	7. make the scriptpubkey

	DUP HASH160 <hash160(signature)> EQUALVERIFY SWAP CHECKSIG

	76A914786FEA0912DA9E3BAB08BC7EE21C0053ACA84834887CAC

	8. wrap the scritpubkey in p2sh to make the address

	hash160(scriptpubkey) :
	3ECAA28CF126A4FB9BB42B73A8B21583C1ED6658

	HASH160 <hash160(scriptpubkey)> EQUAL :
	A9143ECAA28CF126A4FB9BB42B73A8B21583C1ED665887

	address:
	2MxyEdW3Jhr9RUjHHU9zeuY1WVtQUhjw3Em

	9. get an input to fund the address

	in : '[{"txid":"0487cc19b31798b79b0033e457239b875e8f81d16ad2c2c30a8cbe175ddb8d9f","vout":1}]'
	out : '{"2MxyEdW3Jhr9RUjHHU9zeuY1WVtQUhjw3Em":"0.91932792"}'

	10. create a transaction paying to the p2sh address, and broadcast it

	02000000019f8ddb5d17be8c0ac3c2d26ad1818f5e879b2357e433009bb79817b319cc8704010000006b483045022100afd5b1b5cff45ffe352d801e1a884cb42353e1e9bfc48aee8ba7ba474ae7034e022043589c29a3588ad2432aae0dbd0fa4b682c60c62fc1504c095e01b8b2472dfee012103a94eb94f1a1453301961e42c43ecfef54dad387dca0d5a25bf35c59b9f23f4a4ffffffff0178c87a050000000017a9143ecaa28cf126a4fb9bb42b73a8b21583c1ed66588700000000

	txid : 0ea5595f97a6c549711447333c7d6c3696de8f93de781af14f4f870c2579056c

	11. get a new address to use as the recipient

	n3owYGPZzw2tPnX4ZwJJDvTKDqhzd8duHg

	12. begin assembling the redeeming transaction, the previous tx as input

	in : '[{"txid":"0ea5595f97a6c549711447333c7d6c3696de8f93de781af14f4f870c2579056c","vout":0}]'
	out : '{"n3owYGPZzw2tPnX4ZwJJDvTKDqhzd8duHg":"0.91908773"}'

	02000000016c0579250c874f4ff11a78de938fde96366c7d3c3347147149c5a6975f59a50e0000000000ffffffff01a56a7a05000000001976a914f48935588356b8de00f22e585099667f4f350ca688ac00000000

	13. add the signature as a data output

	02000000016c0579250c874f4ff11a78de938fde96366c7d3c3347147149c5a6975f59a50e0000000000ffffffff02a56a7a05000000001976a914f48935588356b8de00f22e585099667f4f350ca688ac00000000000000004a6a483045022100e60bb3880002d7aab591313aee9329acd7bf853afc698462243cc1e46e721f9302202b7e151628aed2a6abf7158809cf4f3c762e7160f38b4da56a784d9045190cfe0100000000

	14. assemble the redeeming transaction's midstate

	02000000
	01
	6C0579250C874F4FF11A78DE938FDE96366C7D3C3347147149C5A6975F59A50E
	00000000
	1A
	76 A9 14 786FEA0912DA9E3BAB08BC7EE21C0053ACA84834 88 7C AC
	FFFFFFFF

	02
	A56A7A0500000000
	19
	76 A9 14 F48935588356B8DE00F22E585099667F4F350CA6 88 AC

	0000000000000000
	4A
	6A 48 3045022100E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F9302202B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE01
	00000000
	01000000

	15. hash256 the midstate to get sighash

	z = D704348E246CA8AC41CC11C052B7DE326A64D7A0E525E46BA7156E86951D6EEF

	13. sign^H^H^H^H perform public key recovery on the signature and sighash and choose either of the pubkeys

	recover(z,r,s)

	# recover
	# X1 : 9CB019AB6BE9DEDAA5682E1EF11E00E2114309B65C238D81A8283D927EAA9CA6
	# Y1 : 4E793572BF6C2B1D0855CFA6BDBA31655FC76BD282FA3DF3FE21009D64E6B835
	#
	# X2 : D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437
	# Y2 : EE3CAF888D1A14BC16DE9AC04BB032D22BC234363EEC31894589A2E15BF50747

	pubkey : 03D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437

	16. assemble the redeeming transaction

	scriptsig :

	0x21 03D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437

	0x48 3045022100E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F9302202B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE01

	0x1A 76A914786FEA0912DA9E3BAB08BC7EE21C0053ACA84834887CAC

	complete tx :

	02000000
	01
	6C0579250C874F4FF11A78DE938FDE96366C7D3C3347147149C5A6975F59A50E
	00000000
	86
	21
	03D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437
	48
	30
	45
	02
	21 00E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F93
	02
	20 2B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE
	01
	1A
	76A914786FEA0912DA9E3BAB08BC7EE21C0053ACA84834887CAC
	FFFFFFFF

	02
	A56A7A0500000000
	19
	76 A9 14 F48935588356B8DE00F22E585099667F4F350CA6 88 AC

	0000000000000000
	4A
	6A 48 3045022100E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F9302202B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE01
	00000000

	17. broadcast!

	02000000016C0579250C874F4FF11A78DE938FDE96366C7D3C3347147149C5A6975F59A50E00000000862103D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437483045022100E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F9302202B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE011A76A914786FEA0912DA9E3BAB08BC7EE21C0053ACA84834887CACFFFFFFFF02A56A7A05000000001976A914F48935588356B8DE00F22E585099667F4F350CA688AC00000000000000004A6A483045022100E60BB3880002D7AAB591313AEE9329ACD7BF853AFC698462243CC1E46E721F9302202B7E151628AED2A6ABF7158809CF4F3C762E7160F38B4DA56A784D9045190CFE0100000000

	txid : 62ceac65c7e39ff2a64b1feeb650d13c86e1e859e2d6019feaf24ef952710e65


	----

	* bonus

	can we get the private key for 03D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437 ?

	((+-)sk - z) 1/r % n

	d1 = 911ED7109C4F07D577D271AA5D324574257AB0263B1A038CFF44237E2F7E41B3
	d2 = 33CDE7245693FD64E81D7E0FDBC9EA7D1F59E4C0F9EC643274EB5F327A9BF709

	ecmul(33CDE7245693FD64E81D7E0FDBC9EA7D1F59E4C0F9EC643274EB5F327A9BF709)

	# ecmul
	# X : D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437
	# Y : EE3CAF888D1A14BC16DE9AC04BB032D22BC234363EEC31894589A2E15BF50747

	pubkey : 03D7C7707ED981A587C54CD1BEFF8362002C3CEF83A67E1DF2EDD2CD5CD0CD0437

	we can do this because we know k.

	even with all of this, did we need to choose a k at all?
	we could have just used any valid point's X value for r.

	this is why the transaction is an anyonecanspend.
	once the input for the redeemscript is revealed on the network (the signature), anyone can change the outputs of the transaction and repeat steps 12 - 17.
	this double spend will be using a different public key for op_checksig (step 13, different z), and this could all be done without knowing any of the discrete logs.