Thanks g.maxwell, your explanation of *why* you can't just generate k in a way that the verifier can duplicate is really helpful. This also servers as a great illustration why engineers should never try to designing their own crypto protocols! I knew enough to know not try that at least.
Aaron Voisine breadwallet.com On Fri, Jul 18, 2014 at 11:56 PM, Gregory Maxwell <gmaxw...@gmail.com> wrote: > On Fri, Jul 18, 2014 at 9:38 PM, Aaron Voisine <vois...@gmail.com> wrote: >> Well, you could always create a transaction with a different signature >> hash, say, by changing something trivial like nLockTime, or changing >> the order of inputs or outputs. Is that what you're talking about? Or >> is there some sophistry I'm ignorant of having to do with the elliptic >> curve math in the signature itself? > > No, though thats true too. I was talking about the properties of the DSA > nonce: > > An attacker is not obligated to follow your protocol unless you can > prevent him. You can _say_ use derandomized DSA all you like, but he > can just not do so, there is no (reasonable) way to prove you're using > a particular nonce generation scheme without revealing the private key > in the process. The verifier cannot know the nonce or he can trivially > recover your private key thus he can't just repeat the computation > (well, plus if you're using RFC6979 the computation includes the > private key), so short of a very fancy ZKP (stuff at the forefront of > cryptographic/computer science) or precommiting to a nonce per public > key (e.g. single use public keys), you cannot control how a DSA nonce > was generated in the verifier in a way that would prevent equivalent > but not identical signatures. > > (I believe there was some P.O.S. altcoin that was vulnerable because > of precisely the above too— thinking specifying a deterministic signer > would prevent someone from grinding signatures to improve their mining > odds... there are signature systems which are naturally > randomness-free: most hash based signatures and pairing short > signatures are two examples that come to mind... but not DSA, schnorr, > or any of their derivatives). ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development