public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Aaron Voisine <voisine@gmail.com>
To: Gregory Maxwell <gmaxwell@gmail.com>
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Small update to BIP 62
Date: Sat, 19 Jul 2014 12:08:13 -0700	[thread overview]
Message-ID: <CACq0ZD73OsGjZgVnvW_vqabwpaXon3=XN30JVXTMimH1-JtWDA@mail.gmail.com> (raw)
In-Reply-To: <CAAS2fgQGF2d98ciMKkE70bqy01mANPhDtamYroeHOZrfML7rMQ@mail.gmail.com>

Thanks g.maxwell, your explanation of *why* you can't just generate k
in a way that the verifier can duplicate is really helpful. This also
servers as a great illustration why engineers should never try to
designing their own crypto protocols! I knew enough to know not try
that at least.

Aaron Voisine
breadwallet.com


On Fri, Jul 18, 2014 at 11:56 PM, Gregory Maxwell <gmaxwell@gmail.com> wrote:
> On Fri, Jul 18, 2014 at 9:38 PM, Aaron Voisine <voisine@gmail.com> wrote:
>> Well, you could always create a transaction with a different signature
>> hash, say, by changing something trivial like nLockTime, or changing
>> the order of inputs or outputs. Is that what you're talking about? Or
>> is there some sophistry I'm ignorant of having to do with the elliptic
>> curve math in the signature itself?
>
> No, though thats true too. I was talking about the properties of the DSA nonce:
>
> An attacker is not obligated to follow your protocol unless you can
> prevent him. You can _say_ use derandomized DSA all you like, but he
> can just not do so, there is no (reasonable) way to prove you're using
> a particular nonce generation scheme without revealing the private key
> in the process. The verifier cannot know the nonce or he can trivially
> recover your private key thus he can't just repeat the computation
> (well, plus if you're using RFC6979 the computation includes the
> private key), so short of a very fancy ZKP (stuff at the forefront of
> cryptographic/computer science) or precommiting to a nonce per public
> key (e.g. single use public keys), you cannot control how a DSA nonce
> was generated in the verifier in a way that would prevent equivalent
> but not identical signatures.
>
> (I believe there was some P.O.S. altcoin that was vulnerable because
> of precisely the above too— thinking specifying a deterministic signer
> would prevent someone from grinding signatures to improve their mining
> odds... there are signature systems which are naturally
> randomness-free: most hash based signatures and pairing short
> signatures are two examples that come to mind... but not DSA, schnorr,
> or any of their derivatives).



  parent reply	other threads:[~2014-07-19 19:08 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-07-18 15:14 [Bitcoin-development] Small update to BIP 62 Pieter Wuille
2014-07-18 15:39 ` Mike Hearn
2014-07-18 15:45   ` Pieter Wuille
2014-07-18 17:25     ` Pieter Wuille
2014-07-18 18:10       ` Pieter Wuille
2014-07-18 20:56   ` Wladimir
2014-07-18 22:03     ` Aaron Voisine
2014-07-19  1:28       ` Gregory Maxwell
2014-07-19  4:38         ` Aaron Voisine
2014-07-19  6:56           ` Gregory Maxwell
2014-07-19  8:34             ` Aaron Voisine
2014-07-19 19:08             ` Aaron Voisine [this message]
2014-07-19 14:46     ` Pieter Wuille
2014-07-18 20:51 ` Wladimir
2014-09-01 20:48 ` Gregory Maxwell
2014-09-03 16:34   ` Pieter Wuille
2014-09-07 23:31     ` Pieter Wuille
2014-09-12 16:35       ` Pieter Wuille
2014-09-13 22:45         ` Pieter Wuille

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CACq0ZD73OsGjZgVnvW_vqabwpaXon3=XN30JVXTMimH1-JtWDA@mail.gmail.com' \
    --to=voisine@gmail.com \
    --cc=bitcoin-development@lists.sourceforge.net \
    --cc=gmaxwell@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox