On Sun, Oct 23, 2016 at 6:55 PM, Gregory Maxwell <[email protected]> wrote: > > Failing to specify a non-malleable form has resulted in > vulnerabilities in multiple protocols and systems. > > For example, some users of openssl will blacklist certificates by > their hash. But you can take a valid ecdsa signature, change it to > another valid one under the same key, thus change the certificate > hash-- and bypass the blacklist. OpenSSL CVEed their fix for > DER-parser originated signature malleability related to blacklisting, > but still has the ecdsa algebraic one (adding half the order to s to > flip the sign of R).
Good example. I knew of the bitcoin issue but not that one. If you have a reference for that, or knew of other examples, that would be helpful. This is irrelevant to protocols that use signatures correctly. Also, the checks in existing spec match some existing Ed25519 code and are simple. But you may be right that a spec for general use should prefer stricter checks, to make things safer for careless users. Trevor _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
