[Cryptography] Proof-of-Satoshi fails Proof-of-Proof.

[Allen]

> No, that’s not true either.  Ed25519 is not merely ECDSA with a specified
nonce, it has structural changes
> from ECDSA specifically to prevent the kind of attack you are
suggesting.  The message content is hashed
> twice, once to produce the nonce, and again with the secret key as a
prefix to produce the signature.

I'm not sure we're talking the same language.  I'm saying: what if, instead
of following the Ed25519 spec to compute the nonce deterministically from
the hash of the message, the signer simply sets the nonce to a random
value, and then proceeds with the rest of signing equations.  AFAICS from
the Ed25519 equations: (a) the signature produced with a random nonce will
verify; (b) the signature produced with a random nonce will be "malleable",
i.e., different random nonces will produce different signatures; and (c)
there is no way for a verifier (i.e., anyone who does not know the signer's
secret key) to tell if the signer followed the Ed25519 spec or used a
random nonce.  Of course, (a) and (b) could be tested fairly quickly by
modifying the code, and if I really cared about and was relying on
non-malleability, I would try this. The last assertion (c) however cannot
be proven simply with code, it would take math.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160507/01c7e0c7/attachment.html>