[Cryptography] In ECDSA, without knowing priv. key and any signature one can sign random garbage
Phillip Hallam-Baker
phill at hallambaker.com
Tue Mar 7 17:11:07 EST 2017
On Mon, Mar 6, 2017 at 8:22 AM, Georgi Guninski <guninski at guninski.com>
wrote:
>
> In ECDSA, the signature of number H is pair (r,s).
> Without knowing the private key and any signature made with the key,
> one can sign:
>
> 1. "random garbage" (there is some complicated structure in it)
> 2. H=0
> 3. H=r
> 4. H=s
>
> Is this known and/or trivial?
>
> Attached are some Sage example for bitcoin's curve SEC256k1.
>
> Would someone confirm or deny the examples with X=111 and unknown
> private key indeed work?
>
> Taking challenges: give the public key Q_A=(x,y) on the curve.
>
It is the property that gives rise to the malleability property (I think)
Yes you can create a valid ECDH signature for garbage. But the garbage
does not match the hash of any data you know the value of.
And yes, it is known because this is the mechanism that it is claimed was
used to empty Mt Gox.
ECDSA includes the hash function. It is not an optional part.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170307/a6c7ae56/attachment.html>
More information about the cryptography
mailing list