📅 Original date posted:2014-07-19
📝 Original message:On Fri, Jul 18, 2014 at 9:38 PM, Aaron Voisine <voisine at gmail.com> wrote:
> Well, you could always create a transaction with a different signature
> hash, say, by changing something trivial like nLockTime, or changing
> the order of inputs or outputs. Is that what you're talking about? Or
> is there some sophistry I'm ignorant of having to do with the elliptic
> curve math in the signature itself?
No, though thats true too. I was talking about the properties of the DSA nonce:
An attacker is not obligated to follow your protocol unless you can
prevent him. You can _say_ use derandomized DSA all you like, but he
can just not do so, there is no (reasonable) way to prove you're using
a particular nonce generation scheme without revealing the private key
in the process. The verifier cannot know the nonce or he can trivially
recover your private key thus he can't just repeat the computation
(well, plus if you're using RFC6979 the computation includes the
private key), so short of a very fancy ZKP (stuff at the forefront of
cryptographic/computer science) or precommiting to a nonce per public
key (e.g. single use public keys), you cannot control how a DSA nonce
was generated in the verifier in a way that would prevent equivalent
but not identical signatures.
(I believe there was some P.O.S. altcoin that was vulnerable because
of precisely the above too— thinking specifying a deterministic signer
would prevent someone from grinding signatures to improve their mining
odds... there are signature systems which are naturally
randomness-free: most hash based signatures and pairing short
signatures are two examples that come to mind... but not DSA, schnorr,
or any of their derivatives).
Gregory Maxwell [ARCHIVE] /
npub1f2…crwet
2023-06-07 15:24:15
in reply to nevent1q…efw9
Author Public Key
npub1f2nvlx49er5c7sqa43src6ssyp6snd4qwvtkwm5avc2l84cs84esecrwetSeen on
wss://relay.noswhere.comPublished at
2023-06-07 15:24:15Event JSON
{
"id": "a7368d2144975a57780d6d5e681ec42dd2ace690b98c76915480cc8d962aed55",
"pubkey": "4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73",
"created_at": 1686151455,
"kind": 1,
"tags": [
[
"e",
"bd724105ae316b349d93a76fd25acc857c6eaea5c338fe45ec1a0cf9e46b9c93",
"",
"root"
],
[
"e",
"8acc59d5cbf057bd420f6e1bec1395e5efeb22b2bae2b94ca548e56921a83055",
"",
"reply"
],
[
"p",
"3a24ce2145c5488aebfb0fc113e7d44234e9d3733afa45e2d880eb259c3eade3"
]
],
"content": "📅 Original date posted:2014-07-19\n📝 Original message:On Fri, Jul 18, 2014 at 9:38 PM, Aaron Voisine \u003cvoisine at gmail.com\u003e wrote:\n\u003e Well, you could always create a transaction with a different signature\n\u003e hash, say, by changing something trivial like nLockTime, or changing\n\u003e the order of inputs or outputs. Is that what you're talking about? Or\n\u003e is there some sophistry I'm ignorant of having to do with the elliptic\n\u003e curve math in the signature itself?\n\nNo, though thats true too. I was talking about the properties of the DSA nonce:\n\nAn attacker is not obligated to follow your protocol unless you can\nprevent him. You can _say_ use derandomized DSA all you like, but he\ncan just not do so, there is no (reasonable) way to prove you're using\na particular nonce generation scheme without revealing the private key\nin the process. The verifier cannot know the nonce or he can trivially\nrecover your private key thus he can't just repeat the computation\n(well, plus if you're using RFC6979 the computation includes the\nprivate key), so short of a very fancy ZKP (stuff at the forefront of\ncryptographic/computer science) or precommiting to a nonce per public\nkey (e.g. single use public keys), you cannot control how a DSA nonce\nwas generated in the verifier in a way that would prevent equivalent\nbut not identical signatures.\n\n(I believe there was some P.O.S. altcoin that was vulnerable because\nof precisely the above too— thinking specifying a deterministic signer\nwould prevent someone from grinding signatures to improve their mining\nodds... there are signature systems which are naturally\nrandomness-free: most hash based signatures and pairing short\nsignatures are two examples that come to mind... but not DSA, schnorr,\nor any of their derivatives).",
"sig": "2f38694ac174847f95f0e03364707b0d1a58877292c8d5f646d4f858b9d487c825f53eb80863b918e002f10e1e6a0da25c0aa97e4c20842051ca65bd0c960a6d"
}