You probably know that ECDSA signatures in their default construction are malleable (which caused problems in Bitcoin, earlier): if (r, s) is a valid signature on a message m, then so is (r, -s).
But did you know the reverse can be arranged to be true, using a party trick: you can generate a scenario where the same signature (r, s) signs two different messages m1, m2?
Like this: start in the usual way by choosing a nonce k, and calculating R and its x-coordinate r. Then, from m1, m2 and calculate the hashes h1 and h2 in the usual message hashing way. Then, construct the private key as x = -(h1 + h2)/2r. Then sign, say, m1 in the usual way as s = k^-1 (h1 + rx) and (r, s) will be a valid signature on both the messages m1, m2.
It's a party trick because you can only choose this special private key after already setting m1 and m2. But note that you can still keep signing other messages with that key, because you own it.
Like much other weirdness about ECDSA, this stems from the awkward element of the design: instead of committing to the R-value in a standard hashing step, you commit to it, separately from the message, with its x-coordinate (and even worse, you only encode the x-coordinate in the final signature, not the full curve point!).
#cryptography
waxwing /
npub1va…knuu7
2025-05-13 20:38:03
Author Public Key
npub1vadcfln4ugt2h9ruwsuwu5vu5am4xaka7pw6m7axy79aqyhp6u5q9knuu7Published at
2025-05-13 20:38:03Event JSON
{
"id": "6660b9834759a0339e30c907575408f926ad052d692c7cacd88d63944c27b9e5",
"pubkey": "675b84fe75e216ab947c7438ee519ca7775376ddf05dadfba6278bd012e1d728",
"created_at": 1747168683,
"kind": 1,
"tags": [
[
"t",
"cryptography"
]
],
"content": "You probably know that ECDSA signatures in their default construction are malleable (which caused problems in Bitcoin, earlier): if (r, s) is a valid signature on a message m, then so is (r, -s).\n\nBut did you know the reverse can be arranged to be true, using a party trick: you can generate a scenario where the same signature (r, s) signs two different messages m1, m2?\n\nLike this: start in the usual way by choosing a nonce k, and calculating R and its x-coordinate r. Then, from m1, m2 and calculate the hashes h1 and h2 in the usual message hashing way. Then, construct the private key as x = -(h1 + h2)/2r. Then sign, say, m1 in the usual way as s = k^-1 (h1 + rx) and (r, s) will be a valid signature on both the messages m1, m2.\n\nIt's a party trick because you can only choose this special private key after already setting m1 and m2. But note that you can still keep signing other messages with that key, because you own it.\n\nLike much other weirdness about ECDSA, this stems from the awkward element of the design: instead of committing to the R-value in a standard hashing step, you commit to it, separately from the message, with its x-coordinate (and even worse, you only encode the x-coordinate in the final signature, not the full curve point!).\n\n#cryptography ",
"sig": "90015a369d9eaa9be94f0d4b5c328f89e1c88f10a7201e2303201e1c3ecdc00a428abe41c6e1b8f08b63ae643bdb1a161a72a7bdc6921b6f62960d64d2dfaf8a"
}