On Fri, Jul 18, 2014 at 9:38 PM, Aaron Voisine <vois...@gmail.com> wrote: > Well, you could always create a transaction with a different signature > hash, say, by changing something trivial like nLockTime, or changing > the order of inputs or outputs. Is that what you're talking about? Or > is there some sophistry I'm ignorant of having to do with the elliptic > curve math in the signature itself?
No, though thats true too. I was talking about the properties of the DSA nonce: An attacker is not obligated to follow your protocol unless you can prevent him. You can _say_ use derandomized DSA all you like, but he can just not do so, there is no (reasonable) way to prove you're using a particular nonce generation scheme without revealing the private key in the process. The verifier cannot know the nonce or he can trivially recover your private key thus he can't just repeat the computation (well, plus if you're using RFC6979 the computation includes the private key), so short of a very fancy ZKP (stuff at the forefront of cryptographic/computer science) or precommiting to a nonce per public key (e.g. single use public keys), you cannot control how a DSA nonce was generated in the verifier in a way that would prevent equivalent but not identical signatures. (I believe there was some P.O.S. altcoin that was vulnerable because of precisely the above too— thinking specifying a deterministic signer would prevent someone from grinding signatures to improve their mining odds... there are signature systems which are naturally randomness-free: most hash based signatures and pairing short signatures are two examples that come to mind... but not DSA, schnorr, or any of their derivatives). ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
