Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Development & Technical Discussion
Merits 2 from 1 user
Re: Suggestion: Allow short messages to be sent together with bitcoins ?
by
ByteCoin
on 24/10/2010, 20:53:29 UTC
⭐ Merited by ETFbitcoin (2)
Quote from: satoshi on October 23, 2010, 07:02:57 PM
It would be unwise to have permanently recorded plaintext messages for everyone to see.  It would be an accident waiting to happen.

What bad effect would you anticipate?

This is already sort-of possible with the current system due to the broadband subchannel in ECDSA.

I was looking for ways of distributing arbitrary information in the block chain to support the implementation of a full client which did  not have to bother remembering the entire block chain.
See http://bitcointalk.org/index.php?topic=505.0 - a thread about "Balance Sheets"
A naive way of encoding the data would be based on sending money to a variety of addresses, the data to be decoded by examining let's say the first couple of of bytes of the receiving addresses but this is rather wasteful of bandwidth with many transactions required to transmit relatively little data.

An interesting property of DSA is that if you're trying to sign a 32 byte message then each signature is 64 bytes long. This means that the signature includes 32 bytes of information just created out of thin air. If you look up the algorithm http://en.wikipedia.org/wiki/Digital_Signature_Algorithm , this information comes from the random parameter k. A signature consists of a pair of numbers g^k and another expression involving both k and g^k. If you could choose k such that g^k contained your data then you could include your plaintext data in the block chain in great big chunks. (Un)Fortunately, doing this has to be hard otherwise ECDSA is insecure.

However, if you effectively release the private key then everyone can, through some simple algebra recover the k values used in all your signatures signed with that key. I was not the first to realize this. See http://en.wikipedia.org/wiki/Subliminal_channels.
If you've spent all the money associated with that key then you don't care about it anymore. (Of course if someone sends more money to that key then everyone will race to spend it!) So you can encode a load of data in some normal transactions for days or months or whatever and then effectively release your private key (for which there is an elegant method) and then all the data is plain to see.

Of course my "balance sheet" scheme does not suffer from this problem (if problem it is) so badly   Wink

ByteCoin