summaryrefslogtreecommitdiff
path: root/7b/2527cb46c887a24522768d5d775a193b563267
blob: 5246e5473b6d6d962de7496a680a56c71ed3989d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
	helo=mx.sourceforge.net)
	by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <gmaxwell@gmail.com>) id 1X8OZ5-0006N9-RA
	for bitcoin-development@lists.sourceforge.net;
	Sat, 19 Jul 2014 06:56:15 +0000
Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of gmail.com
	designates 209.85.215.43 as permitted sender)
	client-ip=209.85.215.43; envelope-from=gmaxwell@gmail.com;
	helo=mail-la0-f43.google.com; 
Received: from mail-la0-f43.google.com ([209.85.215.43])
	by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
	(Exim 4.76) id 1X8OZ4-00088o-W8
	for bitcoin-development@lists.sourceforge.net;
	Sat, 19 Jul 2014 06:56:15 +0000
Received: by mail-la0-f43.google.com with SMTP id hr17so3468828lab.2
	for <bitcoin-development@lists.sourceforge.net>;
	Fri, 18 Jul 2014 23:56:08 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.112.40.161 with SMTP id y1mr9907528lbk.61.1405752968218;
	Fri, 18 Jul 2014 23:56:08 -0700 (PDT)
Received: by 10.112.35.138 with HTTP; Fri, 18 Jul 2014 23:56:08 -0700 (PDT)
In-Reply-To: <CACq0ZD4GwDZbEK4oE_BJxN-nDTb_4+hhDFZ0T7xGAi8v3G349A@mail.gmail.com>
References: <CAPg+sBiTURdRAZbyk3guF5YzAAQebo8yY_TuXHUKYDEdLjDUdQ@mail.gmail.com>
	<CANEZrP3fA3gZ5u6yViBZpdTYxyFvZT=uOTDEnL797OueXf-16g@mail.gmail.com>
	<CA+s+GJAd00ba7SzoUYeGvTOoHRiysXtYmx4Cnq8xQLXZx_VwyQ@mail.gmail.com>
	<CACq0ZD6BmTB_jwE9L0_zrWgVckb=LFL61fow1kuTSnjurbsq9A@mail.gmail.com>
	<CAAS2fgSwzx7M9NLjoOgfAgQT2cHmUWYD8hBmwHRRhgG9UgmmhA@mail.gmail.com>
	<CACq0ZD4GwDZbEK4oE_BJxN-nDTb_4+hhDFZ0T7xGAi8v3G349A@mail.gmail.com>
Date: Fri, 18 Jul 2014 23:56:08 -0700
Message-ID: <CAAS2fgQGF2d98ciMKkE70bqy01mANPhDtamYroeHOZrfML7rMQ@mail.gmail.com>
From: Gregory Maxwell <gmaxwell@gmail.com>
To: Aaron Voisine <voisine@gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -1.6 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
	sender-domain
	0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
	(gmaxwell[at]gmail.com)
	-0.0 SPF_PASS               SPF: sender matches SPF record
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1X8OZ4-00088o-W8
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Small update to BIP 62
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Sat, 19 Jul 2014 06:56:16 -0000

On Fri, Jul 18, 2014 at 9:38 PM, Aaron Voisine <voisine@gmail.com> wrote:
> Well, you could always create a transaction with a different signature
> hash, say, by changing something trivial like nLockTime, or changing
> the order of inputs or outputs. Is that what you're talking about? Or
> is there some sophistry I'm ignorant of having to do with the elliptic
> curve math in the signature itself?

No, though thats true too. I was talking about the properties of the DSA no=
nce:

An attacker is not obligated to follow your protocol unless you can
prevent him. You can _say_ use derandomized DSA all you like, but he
can just not do so, there is no (reasonable) way to prove you're using
a particular nonce generation scheme without revealing the private key
in the process. The verifier cannot know the nonce or he can trivially
recover your private key thus he can't just repeat the computation
(well, plus if you're using RFC6979 the computation includes the
private key), so short of a very fancy ZKP (stuff at the forefront of
cryptographic/computer science) or precommiting to a nonce per public
key (e.g. single use public keys), you cannot control how a DSA nonce
was generated in the verifier in a way that would prevent equivalent
but not identical signatures.

(I believe there was some P.O.S. altcoin that was vulnerable because
of precisely the above too=E2=80=94 thinking specifying a deterministic sig=
ner
would prevent someone from grinding signatures to improve their mining
odds... there are signature systems which are naturally
randomness-free: most hash based signatures and pairing short
signatures are two examples that come to mind... but not DSA, schnorr,
or any of their derivatives).