Is it secure to only sign the output part of transaction in blockchain?

What do signing and verifying mean?

Signing: If Alice wants to sign one document F (or any digital file), she needs her private key sk, and use sk to do some calculation with original file F. Then she gets the signed file signed_F=sign(F , sk). Therefore, signing means this file belongs to Alice or Alice agreed with this file, or more specifically, Alice agreed with the content in this file.

Verifying: If Bob or others want to verify if this file is signed by Alice, they need the original file F, the signed file signed_F and Alice’s public key pk. With these three elements, anyone can check if Alice signed the file or not.

Why do we need signing method in blockchain?

In blockchain world, we suppose anyone is trustless. Image this situation, we, as miner, receive a transaction message, which says ‘Alice sends Bob 1 BTC’. Should we include this transaction in the block? Of course not, since we do not know who send this message. Is it sent by Alice? Bob? or any other people? We have no idea.

However, if we, still as miner, receive a transaction message ‘Alice sends Bob 1 BTC’, together with the signed version of this message and Alice’s public key. After having these three elements, we can check if this transaction is sent by Alice or not. If true, then we can include this transaction in the new mining block. Otherwise, this transaction is invalid and no miner would care about it.

In this way, only Alice can send transaction message about ‘Alice sends someone some BTC’ because only Alice has her private key to sign this message. No other people can forge that.

What’s the difference between signing the whole transaction and signing the output only?

A transaction may contain the following information: transaction id tx_id (every transaction needs a unqiue id), input UTXO id input_id (which UTXO this transaction spends), output address (the receiver’s address), output amount (the transfer amount), etc. (Note: this is not the real transaction model, only for explanation purpose.)

Suppose Alice (with address 0x06) wants to send Bob (with address 0xf2) 1 BTC. First, Alice needs to have some UTXO and total amount should be at least 1 BTC. Suppose Alice has two UTXO:

• UTXO1: tx_id: 0x23f, input_id: 0x002, output address: 0x06, output amount: 1.0 BTC
• UTXO2: tx_id: 0x5a1, input_id: 0x30b, output address: 0x06, output amount: 1.3 BTC).

That is said, Alice now has 2.3 BTC. Alice may choose UTXO1 in this transaction. Therefore, she should send a new transaction message: tx_id: 0x39c, input_id: 0x23f, output address: 0xf2, output amount: 1.0 BTC. Now Alice needs to use her private key to sign this message to make it valid.

In the first case, Alice signs the whole transaction:

• Original File: ‘tx_id: 0x39c, input_id: 0x23f, output address: 0xf2, output amount: 1.0 BTC’
• Signed File: signed_Alice=sign(‘tx_id: 0x39c, input_id: 0x23f, output address: 0xf2, output amount: 1.0 BTC’ , sk_Alice)
• Alice public key: pk_Alice

Then other miners can use these three elements to check if this transaction is sent by Alice or not. In this case, trying to tamper the original file will not work.

In the second case, Alice only signs the output part:

• Original File: ‘tx_id: 0x39c, input_id: 0x23f, output address: 0xf2, output amount: 1.0 BTC’
• Signed File: signed_Alice=sign(‘output address: 0xf2, output amount: 1.0 BTC’ , sk_Alice)
• Alice public key: pk_Alice

Also, for miners, this is still valid transaction.

BUT !! IMPORTANT !!

At this moment, if Bob wants to do something bad, he can steal the money from Alice by using Alice’s another UTXO. Bob can fake a new transaction:

• Faked File: ‘tx_id: 0x42f, input_id: 0x5a1, output address: 0xf2, output amount: 1.0 BTC’ (Note: now the tx_id and input_id are changed, but output address and amount do not change. Input_id is Alice’s another UTXO. All the UTXO information is public for blockchain, so Bob can easily get it.)
• Signed File: fake_sign=sign(‘output address: 0xf2, output amount: 1.0 BTC’ , sk_Alice) = signed_Alice (Note: Even if this is a different transaction, the output part remains the same, so here Bob can directly use signed_Alice.)
• Public key: pk_Alice

When a miner receives these three elements, this is still a valid transaction because miner only checks the output signed part, and the output part is indeed signed by Alice from miner’s perspective. Therefore, miners will include this transaction in the new block and Bob successfully steals the money from Alice without her permission.