From: Aaron Voisine <voisine@gmail•com>
To: Gregory Maxwell <gmaxwell@gmail•com>
Cc: Bitcoin Dev <bitcoin-development@lists•sourceforge.net>
Subject: Re: [Bitcoin-development] Small update to BIP 62
Date: Sat, 19 Jul 2014 12:08:13 -0700 [thread overview]
Message-ID: <CACq0ZD73OsGjZgVnvW_vqabwpaXon3=XN30JVXTMimH1-JtWDA@mail.gmail.com> (raw)
In-Reply-To: <CAAS2fgQGF2d98ciMKkE70bqy01mANPhDtamYroeHOZrfML7rMQ@mail.gmail.com>
Thanks g.maxwell, your explanation of *why* you can't just generate k
in a way that the verifier can duplicate is really helpful. This also
servers as a great illustration why engineers should never try to
designing their own crypto protocols! I knew enough to know not try
that at least.
Aaron Voisine
breadwallet.com
On Fri, Jul 18, 2014 at 11:56 PM, Gregory Maxwell <gmaxwell@gmail•com> wrote:
> On Fri, Jul 18, 2014 at 9:38 PM, Aaron Voisine <voisine@gmail•com> wrote:
>> Well, you could always create a transaction with a different signature
>> hash, say, by changing something trivial like nLockTime, or changing
>> the order of inputs or outputs. Is that what you're talking about? Or
>> is there some sophistry I'm ignorant of having to do with the elliptic
>> curve math in the signature itself?
>
> No, though thats true too. I was talking about the properties of the DSA nonce:
>
> An attacker is not obligated to follow your protocol unless you can
> prevent him. You can _say_ use derandomized DSA all you like, but he
> can just not do so, there is no (reasonable) way to prove you're using
> a particular nonce generation scheme without revealing the private key
> in the process. The verifier cannot know the nonce or he can trivially
> recover your private key thus he can't just repeat the computation
> (well, plus if you're using RFC6979 the computation includes the
> private key), so short of a very fancy ZKP (stuff at the forefront of
> cryptographic/computer science) or precommiting to a nonce per public
> key (e.g. single use public keys), you cannot control how a DSA nonce
> was generated in the verifier in a way that would prevent equivalent
> but not identical signatures.
>
> (I believe there was some P.O.S. altcoin that was vulnerable because
> of precisely the above too— thinking specifying a deterministic signer
> would prevent someone from grinding signatures to improve their mining
> odds... there are signature systems which are naturally
> randomness-free: most hash based signatures and pairing short
> signatures are two examples that come to mind... but not DSA, schnorr,
> or any of their derivatives).
next prev parent reply other threads:[~2014-07-19 19:08 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-18 15:14 Pieter Wuille
2014-07-18 15:39 ` Mike Hearn
2014-07-18 15:45 ` Pieter Wuille
2014-07-18 17:25 ` Pieter Wuille
2014-07-18 18:10 ` Pieter Wuille
2014-07-18 20:56 ` Wladimir
2014-07-18 22:03 ` Aaron Voisine
2014-07-19 1:28 ` Gregory Maxwell
2014-07-19 4:38 ` Aaron Voisine
2014-07-19 6:56 ` Gregory Maxwell
2014-07-19 8:34 ` Aaron Voisine
2014-07-19 19:08 ` Aaron Voisine [this message]
2014-07-19 14:46 ` Pieter Wuille
2014-07-18 20:51 ` Wladimir
2014-09-01 20:48 ` Gregory Maxwell
2014-09-03 16:34 ` Pieter Wuille
2014-09-07 23:31 ` Pieter Wuille
2014-09-12 16:35 ` Pieter Wuille
2014-09-13 22:45 ` Pieter Wuille
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACq0ZD73OsGjZgVnvW_vqabwpaXon3=XN30JVXTMimH1-JtWDA@mail.gmail.com' \
--to=voisine@gmail$(echo .)com \
--cc=bitcoin-development@lists$(echo .)sourceforge.net \
--cc=gmaxwell@gmail$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox