3

My first question is how to verify signature using only r,s and elliptic curve paramete, and an address (which is hashed of public key, so cannot retrieve public key from the address)?

Next question is that, why ethereum (also bitcoin I think) uses hashed public key as an address instead of directly use public key as an address?

Kronos
  • 896
  • 1
  • 10
  • 21

3 Answers3

2
  1. In security terms:

The public key in all of the cryptography schemes is related to the private key. The only secure measurement that prevents a user to calculate your private key from your public key is the assumption that the discrete logarithm is "impossible to solve"

We all know that quantum cryptography is aproaching more every day, and the problem that this introduces is that solving discrete logarithms is "easy" if you are running a quantum PC/CPU. So having the Pk, it'll be possible to get the Sk(Private key).

In order to anticipate to that, if you only have acces to the hash of the Pk, you don't know it, so even with quantum crypto (as far as now seems that quantum won't be able to pass hash functions that easily), you are secure.

More info about Hash functions resistance to quantum crypto here.

  1. In gas spending terms.

The length of a Public Key is so much bigger than it's hash which is always a 256 bit variable. So if you count all the transactions that are done on a day, you are saving a lot of gas on transactions because the public keys will make the miners and the nodes process/store much more data because they are so much bigger than it's hashes.

I can expand more the explanation if you need it, but essencially, this is it.

EDIT AS you're asking for on the comments, here you have a topic on which is explained how to retrieve the Pk from it's hash.

Get public key of any ethereum account

Hope it helps.

CPereez19
  • 2,835
  • 13
  • 41
  • I am not asking how to retrieve private key from public key. I am asking how to verify signature without public key? Because miner only know its address not the public key. But the address is truncated by hash, so it is not possible to retrieve public key from an address. – Kronos May 23 '18 at 12:34
  • 2
    @Kronos You're right, you can't get a public key from an address. But you can get the public key from a transaction sent by that address. So in practice, it is only possible to get the public key of an address if that address has sent at least 1 transaction. – Jesbus May 23 '18 at 13:13
  • Do you know how to get the public key from a tx? Because I also checked trasaction value using eth.getTransaction, but I don't see any clue to retrieve a public from it. – Kronos May 23 '18 at 13:19
  • @JesseBusman is right, you retrive it from the tx details, look at them on the logs or on etherscan. One thing to add is that as your question is formulated, has no sense the comment you leaved. You asked why are the Pk's hashed, and this was the answer to that question. – CPereez19 May 23 '18 at 13:56
  • @CPereez19 What does Pk and Sk in your explaination stand for? As both "public key" as well as "private key" would abbreviate to "PK" or "pk" it's not so distinct to me. – TorstenS May 23 '18 at 15:22
  • https://crypto.stackexchange.com/questions/18105/how-does-recovering-the-public-key-from-an-ecdsa-signature-work this might be the answer of my question. – Kronos May 23 '18 at 15:41
  • @TorstenS since "private key" is also abbreviated as pk, you can't distinguish between the two. That's why private keys are called "secret key"s, abbreviated Sk – frarugi87 May 23 '18 at 15:46
  • @CPereez19 from etherscan, there are only addresses, block hash, and tx hash, nounce, that's all. Still cannot understand how to get the public from tx. – Kronos May 23 '18 at 15:49
  • @Kronos this is what you're searching for: https://github.com/ethereum/EIPs/blob/master/EIPS/eip-55.md And still thinking that i answered you correctly, your question wasn't Hot to retrieve the Pk from it's hash.. – CPereez19 May 24 '18 at 06:27
  • @CPereez19 A truncated hash doesn't add to the security, you have 2^160 addresses for like 2^256 private keys, meaning you have 2^96 private keys sharing the same address. – Ismael May 24 '18 at 17:34
  • @Ismael I'm talking about Hash functions resistance to quantum crypto vs. Actual cryptosystems like El-Gamal, Diffie Helman, ECDSA, DSA, RSA etc.. Here you have a reference: https://crypto.stackexchange.com/questions/59375/are-hash-functions-strong-against-quantum-cryptography-and-or-independent-enough – CPereez19 May 24 '18 at 17:40
  • @CPereez19 Maybe for bitcoin that addresses only have one use it make sense but for ethereum it is kind not ver useful, because if you ever signed a transaction then anybody can calculate the public key. – Ismael May 24 '18 at 19:14
  • I'm not explaining well as I see.. Nowadays, if you have the public key, you can't do almost anything (few traceability complex attacks exist but it's not the porpouse to explain them). But appart of the memory saving (Hash is shorter than Pk) with quantum crypto you can easily get the Sk from the Pk. With the H(Pk), you can do the transaction safely, and as you said, now your public addres can be visible to anyone, so you can move the ether to another account and have it safe till the next transaction. That's why is recommended to don't reutilize an account. – CPereez19 May 25 '18 at 09:44
  • @CPereez19 You say that the discrete logarithm for ECC is solved on quantum computers, so with Pk you easily obtain Sk. And with H(Pk) and a signed transaction you can apply ECDSA recover and get Pk trivially. So having H() applied does add to the security but only when you don't reuse addresses, ie Bitcoin. If you reuse addresses like in Ethereum it doesn't add to the security. – Ismael Jun 01 '18 at 04:42
2

Maybe this answer can help you - https://ethereum.stackexchange.com/a/33346/16729

Ethereum security model relies on elliptic curve cryptography (ECC) to sign and validate transactions. In ECC public and private key are used to sign and verify. It has no concept of addresses. When signing and verifying transactions you do not need addresses. The original bitcoin paper do not mention addresses at all. They appear later in an effort to make them easier to remember (compressed public key are 32 bytes vs address 20 bytes). Now you can completely hide public key from the user interaction and only have private key and addresses. But internaly ethereum keeps using them to validate transactions.

Luiz Soares
  • 1,064
  • 6
  • 14
  • But internally keeps using them to validates Tx...I still don't get it. Because the keystore folder (where is encrypted private key and public key is save as a file) only located in my node, not every node. But how to other node know my public key to validate my transaction? – Kronos May 23 '18 at 13:27
  • There is a challenge where it talks about addresses and accounts. I can´t read the thread yet because I didn´t finish the challenger and I don´t want to read spoilers. But I think it can be helpful to you. Here is the reddit: https://www.reddit.com/r/capturetheether/ – Luiz Soares May 23 '18 at 13:55
  • and here is the challenge: https://capturetheether.com/challenges/accounts/public-key/ – Luiz Soares May 23 '18 at 13:55
  • And I jiust found this:https://ethereum.stackexchange.com/questions/13778/get-public-key-of-any-ethereum-account/13892 – Luiz Soares May 23 '18 at 14:02
  • @Kronos Ethereum uses a mathematical property to recover the public key from a signed transaction and then derives the address by applying the hash function keccak256 (search ECDSA public key recover for the mathematical details). – Ismael May 24 '18 at 00:50
2

I found myself how to recover public key from tx(signature, r and s) and its address.

First, here is how signature is generated, the public is B, and private key is d, where B = dA. (multiplication on elliptic curve). It is REALLY hard (or simple, because we don't know P=NP or not), so we cannot retrieve d from B and A.

enter image description here

And the public can be recovered as follow, and the number of public key candidates is two, because we only know x-coordinate of R. So it is easy to find a public key which public key is real one from the address.

enter image description here

proof is as follows,

enter image description here

please correct me if something is wrong. It seems that there is useful function in https://github.com/cryptocoinjs/secp256k1-node, .recover(Buffer message, Buffer signature, Number recovery [, Boolean compressed = true]) to recover public key.

Kronos
  • 896
  • 1
  • 10
  • 21
  • That's ECDSA based on the secp256k1 curve. You can only retrieve the info if you know the Cyclyc group generator period. Otherways nowadays it's impossible to get it. This is the same as saying on RSA that you can only get the message if you know the Sk. because discrete logarith is so hard to solve.

    Also, tell you that the Pk and Sk are points of the eliptic curve. From here is where pairings and other ZkSnarks main components are born.

    Here you have good lectures to learn about that.

     – CPereez19 May 25 '18 at 09:38
  • @CPereez19 Thas right, I need to know which curve is used(all parameters I need to know) to recover the public key. – Kronos May 25 '18 at 20:22