[Cryptography] Proof-of-Satoshi fails Proof-of-Proof.

Ron Garret ron at flownet.com
Sat May 7 18:16:28 EDT 2016


On May 7, 2016, at 2:45 PM, Allen <allenpmd at gmail.com> wrote:

> > No, that’s not true either.  Ed25519 is not merely ECDSA with a specified nonce, it has structural changes
> > from ECDSA specifically to prevent the kind of attack you are suggesting.  The message content is hashed
> > twice, once to produce the nonce, and again with the secret key as a prefix to produce the signature.
> 
> I'm not sure we're talking the same language.  I'm saying: what if, instead of following the Ed25519 spec to compute the nonce deterministically from the hash of the message, the signer simply sets the nonce to a random value, and then proceeds with the rest of signing equations.  AFAICS from the Ed25519 equations: (a) the signature produced with a random nonce will verify; (b) the signature produced with a random nonce will be "malleable", i.e., different random nonces will produce different signatures; and (c) there is no way for a verifier (i.e., anyone who does not know the signer's secret key) to tell if the signer followed the Ed25519 spec or used a random nonce.  Of course, (a) and (b) could be tested fairly quickly by modifying the code, and if I really cared about and was relying on non-malleability, I would try this. The last assertion (c) however cannot be proven simply with code, it would take math.
> 

OMG, you’re right.  My apologies.

rg



More information about the cryptography mailing list