Is signing the message to claim MWC safe?

Chris Dev

//
May 31, 2019

We have received several questions about whether or not signing the message that is given to you to prove ownership of Bitcoin in order to register for MWC is safe. I wanted to write a up a quick article to explain why we choose the format we use and how there is nothing to worry about. We have been asked why the message includes a random string and if it's possible for us to somehow create some random string that the user would sign and that after signing it, we would some how have revealed their private key or in some other way enable ourselves to transfer their Bitcoin to us. Let's not even get into how unethical it would be to do such a thing because, it's a fair question and people should be very paranoid about protecting their BTC.

So, why did we choose this format? I have to admit the idea that it would somehow be possible to craft a message that would enable us to transfer user's BTC to us, never crossed my mind and maybe it is something I should have considered. For the people that came up with this question, congratulations. It's very defensive thinking. But as you will see, even if we wanted to do something malicious, it wouldn't be possible. Before we get into that part, let's talk about how we came up with the message format. The format we use to claim MWC is the following MWC071919<random_number>_<timestamp>. The timestamp is the number of milliseconds since January 1st, 1970 (a very common way to represent a timestamp in programming). The format will look something like this:

In this case, the random number was "2867855213553800192" and the timestamp was "1559332717838". Note that 071919 is the date that registration ends and is at the beginning of all the messages. I will also include the code that generates this message below. It is written in java:

challenge = "MWC071919" + (long) Math.floor(

               Math.abs((double) Long.MAX_VALUE * Math.random())) + "_" + System.currentTimeMillis();

So, basically the first part of the string is self explanatory, the two components that people are questioning are the timestamp and the random string. So, first, the timestamp; The reason we choose to include the timestamp is as a measure to allow us to see if someone had tampered with the database. If we saw any sort of anomaly in the database like timestamps from times outside of our range where registration was open or anything else that's odd we might be clued off that something was off. So it's mostly to give us something to look for on our end. Lastly, the question about the random number. The reason we included a random number in the message is because it is fairly customary to do so in computer science. We call this message a challenge vector. Hence you can see the name of our variable is "challenge". If someone is going to prove ownership of a private key, the person requesting proof, in this case MWC, is known as the challenger. The challenger always generates the text that the private key owner is to sign. If the signer comes up with the challenge himself, it is much less convincing. One way to ensure that the signer has no idea what the challenge will be is by introducing a random string into the challenge vector. That's exactly what we did and as I said, it never occurred to me that people would be concerned with this.

So, now that I explained our format and the motivation behind it, I will explain how, even if we were malicious, there is nothing we could do to in any way compromise anyone's BTC. See this thread on reddit: https://www.reddit.com/r/TREZOR/comments/bcs4oo/is_signing_signature_safe/

Someone asked the Trezor developers whether or not there was any risk to signing a message. Many people in that thread answered that the signer has nothing to worry about, but Trezor developer "Johoe", answered, "...the message you sign is guaranteed to be different from every transaction...", so even if we had tried to craft a message that could somehow compromise your private key, it would not be possible. While this answer was specific to Trezor, this holds true for signatures in general. Thanks for the great question and opportunity to explain our thinking!

Help us get listed on your favorite exchange