[Cryptography] In ECDSA, without knowing priv. key and any signature one can sign random garbage

[Natanael]

Den 8 mar 2017 00:10 skrev "Phillip Hallam-Baker" <phill at hallambaker.com>:


​It is the property that gives rise to the malleability property (I think)

Yes you can create a valid ECDH signature for garbage. But the garbage
​does not match the hash of any data you know the value of.

And yes, it is known because this is the mechanism that it is claimed was
used to empty Mt Gox.

ECDSA includes the hash function. It is not an optional part.


That wasn't exactly it.

They did use malleability, yes, but not to sign garbage. The signature
still signed the same original data - it  just wasn't encoded bitwise
identically, which changed the *transaction hash* (the hash of all
transaction data with signature included).

Mt gox tracked payments by transaction hash, not by UTXO identifiers
('unspent transaction output", comparable to individual coins) which was
already being recommended.
In other words, I could request a withdrawal, replay a slightly modified
version of their payment transaction to me, hope it gets chosen by the
miners, and then tell Mt Gox' support that I didn't get my money (which I
actually did), so then they pay me again with a NEW transaction, spending
*other* UTXO's (giving me "different coins", pretty much). While they
instead should have verified the UTXO and said "we spent UTXO 123 going to
his withdrawal address, and sure enough that's in the blockchain".
If the transaction really disappeared, they should resend it using the same
(then still unspent) UTXO's.

If they really had used it to sign garbage, the Bitcoin network would have
rejected that garbage data for not being a valid transaction.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170308/4289289c/attachment.html>