📅 Original date posted:2014-07-19
📝 Original message:Thanks g.maxwell, your explanation of *why* you can't just generate k
in a way that the verifier can duplicate is really helpful. This also
servers as a great illustration why engineers should never try to
designing their own crypto protocols! I knew enough to know not try
that at least.
Aaron Voisine
breadwallet.com
On Fri, Jul 18, 2014 at 11:56 PM, Gregory Maxwell <gmaxwell at gmail.com> wrote:
> On Fri, Jul 18, 2014 at 9:38 PM, Aaron Voisine <voisine at gmail.com> wrote:
>> Well, you could always create a transaction with a different signature
>> hash, say, by changing something trivial like nLockTime, or changing
>> the order of inputs or outputs. Is that what you're talking about? Or
>> is there some sophistry I'm ignorant of having to do with the elliptic
>> curve math in the signature itself?
>
> No, though thats true too. I was talking about the properties of the DSA nonce:
>
> An attacker is not obligated to follow your protocol unless you can
> prevent him. You can _say_ use derandomized DSA all you like, but he
> can just not do so, there is no (reasonable) way to prove you're using
> a particular nonce generation scheme without revealing the private key
> in the process. The verifier cannot know the nonce or he can trivially
> recover your private key thus he can't just repeat the computation
> (well, plus if you're using RFC6979 the computation includes the
> private key), so short of a very fancy ZKP (stuff at the forefront of
> cryptographic/computer science) or precommiting to a nonce per public
> key (e.g. single use public keys), you cannot control how a DSA nonce
> was generated in the verifier in a way that would prevent equivalent
> but not identical signatures.
>
> (I believe there was some P.O.S. altcoin that was vulnerable because
> of precisely the above too— thinking specifying a deterministic signer
> would prevent someone from grinding signatures to improve their mining
> odds... there are signature systems which are naturally
> randomness-free: most hash based signatures and pairing short
> signatures are two examples that come to mind... but not DSA, schnorr,
> or any of their derivatives).
Aaron Voisine [ARCHIVE] /
npub18g…knkzl
2023-06-07 15:24:16
in reply to nevent1q…4xv3
Author Public Key
npub18gjvug29c4yg46lmplq38e75gg6wn5mn8taytckcsr4jt8p74h3s5knkzlPublished at
2023-06-07 15:24:16Event JSON
{
"id": "7652316c0c3ebf090bdba43b748f5492724d2a641e18cc198700d99579ce1de2",
"pubkey": "3a24ce2145c5488aebfb0fc113e7d44234e9d3733afa45e2d880eb259c3eade3",
"created_at": 1686151456,
"kind": 1,
"tags": [
[
"e",
"bd724105ae316b349d93a76fd25acc857c6eaea5c338fe45ec1a0cf9e46b9c93",
"",
"root"
],
[
"e",
"4c124ef8881334ffdcc5952aeab1b9d951bf11bdbd9ca33d826f117434abd2d8",
"",
"reply"
],
[
"p",
"3a24ce2145c5488aebfb0fc113e7d44234e9d3733afa45e2d880eb259c3eade3"
]
],
"content": "📅 Original date posted:2014-07-19\n📝 Original message:Thanks g.maxwell, your explanation of *why* you can't just generate k\nin a way that the verifier can duplicate is really helpful. This also\nservers as a great illustration why engineers should never try to\ndesigning their own crypto protocols! I knew enough to know not try\nthat at least.\n\nAaron Voisine\nbreadwallet.com\n\n\nOn Fri, Jul 18, 2014 at 11:56 PM, Gregory Maxwell \u003cgmaxwell at gmail.com\u003e wrote:\n\u003e On Fri, Jul 18, 2014 at 9:38 PM, Aaron Voisine \u003cvoisine at gmail.com\u003e wrote:\n\u003e\u003e Well, you could always create a transaction with a different signature\n\u003e\u003e hash, say, by changing something trivial like nLockTime, or changing\n\u003e\u003e the order of inputs or outputs. Is that what you're talking about? Or\n\u003e\u003e is there some sophistry I'm ignorant of having to do with the elliptic\n\u003e\u003e curve math in the signature itself?\n\u003e\n\u003e No, though thats true too. I was talking about the properties of the DSA nonce:\n\u003e\n\u003e An attacker is not obligated to follow your protocol unless you can\n\u003e prevent him. You can _say_ use derandomized DSA all you like, but he\n\u003e can just not do so, there is no (reasonable) way to prove you're using\n\u003e a particular nonce generation scheme without revealing the private key\n\u003e in the process. The verifier cannot know the nonce or he can trivially\n\u003e recover your private key thus he can't just repeat the computation\n\u003e (well, plus if you're using RFC6979 the computation includes the\n\u003e private key), so short of a very fancy ZKP (stuff at the forefront of\n\u003e cryptographic/computer science) or precommiting to a nonce per public\n\u003e key (e.g. single use public keys), you cannot control how a DSA nonce\n\u003e was generated in the verifier in a way that would prevent equivalent\n\u003e but not identical signatures.\n\u003e\n\u003e (I believe there was some P.O.S. altcoin that was vulnerable because\n\u003e of precisely the above too— thinking specifying a deterministic signer\n\u003e would prevent someone from grinding signatures to improve their mining\n\u003e odds... there are signature systems which are naturally\n\u003e randomness-free: most hash based signatures and pairing short\n\u003e signatures are two examples that come to mind... but not DSA, schnorr,\n\u003e or any of their derivatives).",
"sig": "8b6888a5637a6afc30f8b97f9e4ab05bf24bfff36eea07cb93c427ad401a6a6314e5f3a31e487615f7e665da8ad66c51ebdb1e14bb066232ab9c1cf15d8a8275"
}