From: Aaron Voisine <voisine@gmail.com>
To: Gregory Maxwell <gmaxwell@gmail.com>
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Small update to BIP 62
Date: Sat, 19 Jul 2014 01:34:13 -0700 [thread overview]
Message-ID: <CACq0ZD6L1TqG9Z=9e=Uon0M=30PjzR5Bt29f5p1Mh=aggmHZmw@mail.gmail.com> (raw)
In-Reply-To: <CAAS2fgQGF2d98ciMKkE70bqy01mANPhDtamYroeHOZrfML7rMQ@mail.gmail.com>
Ah, good point. For some reason I was thinking the k value was
generated only from the hash being signed, but it's derived from both
the private key and the hash, so as you say there's no way for the
verifier to tell if the scheme is being followed.
Aaron Voisine
breadwallet.com
On Fri, Jul 18, 2014 at 11:56 PM, Gregory Maxwell <gmaxwell@gmail.com> wrote:
> On Fri, Jul 18, 2014 at 9:38 PM, Aaron Voisine <voisine@gmail.com> wrote:
>> Well, you could always create a transaction with a different signature
>> hash, say, by changing something trivial like nLockTime, or changing
>> the order of inputs or outputs. Is that what you're talking about? Or
>> is there some sophistry I'm ignorant of having to do with the elliptic
>> curve math in the signature itself?
>
> No, though thats true too. I was talking about the properties of the DSA nonce:
>
> An attacker is not obligated to follow your protocol unless you can
> prevent him. You can _say_ use derandomized DSA all you like, but he
> can just not do so, there is no (reasonable) way to prove you're using
> a particular nonce generation scheme without revealing the private key
> in the process. The verifier cannot know the nonce or he can trivially
> recover your private key thus he can't just repeat the computation
> (well, plus if you're using RFC6979 the computation includes the
> private key), so short of a very fancy ZKP (stuff at the forefront of
> cryptographic/computer science) or precommiting to a nonce per public
> key (e.g. single use public keys), you cannot control how a DSA nonce
> was generated in the verifier in a way that would prevent equivalent
> but not identical signatures.
>
> (I believe there was some P.O.S. altcoin that was vulnerable because
> of precisely the above too— thinking specifying a deterministic signer
> would prevent someone from grinding signatures to improve their mining
> odds... there are signature systems which are naturally
> randomness-free: most hash based signatures and pairing short
> signatures are two examples that come to mind... but not DSA, schnorr,
> or any of their derivatives).
next prev parent reply other threads:[~2014-07-19 8:34 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-18 15:14 [Bitcoin-development] Small update to BIP 62 Pieter Wuille
2014-07-18 15:39 ` Mike Hearn
2014-07-18 15:45 ` Pieter Wuille
2014-07-18 17:25 ` Pieter Wuille
2014-07-18 18:10 ` Pieter Wuille
2014-07-18 20:56 ` Wladimir
2014-07-18 22:03 ` Aaron Voisine
2014-07-19 1:28 ` Gregory Maxwell
2014-07-19 4:38 ` Aaron Voisine
2014-07-19 6:56 ` Gregory Maxwell
2014-07-19 8:34 ` Aaron Voisine [this message]
2014-07-19 19:08 ` Aaron Voisine
2014-07-19 14:46 ` Pieter Wuille
2014-07-18 20:51 ` Wladimir
2014-09-01 20:48 ` Gregory Maxwell
2014-09-03 16:34 ` Pieter Wuille
2014-09-07 23:31 ` Pieter Wuille
2014-09-12 16:35 ` Pieter Wuille
2014-09-13 22:45 ` Pieter Wuille
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACq0ZD6L1TqG9Z=9e=Uon0M=30PjzR5Bt29f5p1Mh=aggmHZmw@mail.gmail.com' \
--to=voisine@gmail.com \
--cc=bitcoin-development@lists.sourceforge.net \
--cc=gmaxwell@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox