Introduction

The criteria we use for listing projects on Forkdrop.io is that they credit the owners in Bitcoin's UTXO set in some manner. Some projects require you to register your ownership of the UTXO set entry by providing a cryptographic signature that validates to the public Bitcoin address holding a balance.

Some also require you to create a login to a web service and provide other details in order to get coins. This is a risk to your anonymity of your BTC balances, so please be careful when doing so.

Registering for Airdrops

As a very basic baseline we recommend using platforms such as TAILS and Ubuntu for handling your private keys. For creating signed messages, our guide for using Electrum software that is included by default with the official TAILS release is covered in one of our guides.

For creating signatures corresponding ultra-high-value keys holding BTC, a more specialized approach is advisable. For example, some solutions exist to sign on an airgapped machine made of inexpensive, disposable hardware: https://github.com/isle2983/bip38-pi-airgap

If the project requires you to use your private keys in conjugation with their software in order to register, this is a red flag for a project wanting to steal your keys. If this is a requirement consider seeking an alternative method since it is likely that they just need to create a simple cryptographic signature.

In some cases the special signature can be done with modification to Electrum with a bit of technical sophistication. Since many projects are simply copy-pasting Bitcoin code, the signature scheme is going to be very close to how Bitcoin has implemented it in the first place. This was the case with the BitCore (BTX) registration program (now past), which required the simple one-line modification of Electrum in order to create valid BitCore signatures.

Downsides to Registering

This is a bit obtuse and is probably not worth worrying too much about, but we feel you should have some awareness of.

Bitcoin's digital signature and address scheme has some protections in place to guard against accidental bad entropy in private key generation and possibly anticipated weakness in the elliptic curve math of the cryptographic scheme. The act of signing a message reveals your public key of your public-private key pair. This is a slight weakening of the security of your private key, not by much, but there is a reason why Bitcoin's address scheme was designed in the way it was. The issue is that registering for airdrops with a signed message does reveal your public key to the project.

The normal bitcoin addresses you are used to are derived through a few rounds of hash functions applied to the public key. If an attacker is trying to exploit some mathematical weakness to compute the private key, getting the public key gets them a couple steps closer. If you generated your private key with a bad random number generator, an attacker might be able to quickly derive your private key from your public key, whereas that was much harder to do, computationally-speaking starting from your address due to the rounds of hash. If an attacker is somehow able to derive your private key (likely because it was badly generated by bad software upon creation), they have stolen your Bitcoin. This is why it is generally advisable for good security practices to not re-use addresses because the act of spending from that address once reveals your public key to the world.

To counter-act this downside, we recommend you move your BTC off of this address and private key at the earliest opportunity after qualifying for the airdrop under the rules established by the project.

Related Articles