[Cryptography] Proof-of-Satoshi fails Proof-of-Proof.

[Adam Back]

On 7 May 2016 at 22:30, Ron Garret <ron at flownet.com> wrote:
> No, that’s not true either.  Ed25519 is not merely ECDSA with a specified nonce, it has structural changes from ECDSA specifically to prevent the kind of attack you are suggesting.  The message content is hashed twice, once to produce the nonce, and again with the secret key as a prefix to produce the signature.  Not only does this prevent malleability attacks, but it also protects against collisions in the underlying hash.

Ed25519 (which I believe denotes EdDSA with Edwards 25519 curve) is
actually Elliptic Curve Schnorr and not DSA at all.

It does however use the analog of RFC6979 though much simpler.
Neither is protected against signer malleability because the use of
the deterministic nonce is not detectable to the verifier in either
case.

On 7 May 2016 at 06:25, Tony Arcieri <bascule at gmail.com> wrote:
> Interesting sidebar: ECDSA nonces were one of the sources of Bitcoin's
> transaction malleability. The (massive pile of hacks that is) segregated
> witness feature being added to Bitcoin has an added side effect of removing
> signatures from the hash of a transaction, and with it the associated
> malleability.

I consider Segregated Witness quite elegant and the robust solution to
malleability (which extends beyond signatures).  The best way to avoid
malleability is to omit the Script Signature
from the hash which forms the transaction ID - that is what Segregated
Witness does.  The other changes it introduces are architecturally
quite useful.

Adam