[Cryptography] In ECDSA, without knowing priv. key and any signature one can sign random garbage

Georgi Guninski guninski at guninski.com
Fri Mar 10 03:16:06 EST 2017


On Wed, Mar 08, 2017 at 04:35:39PM +0100, Jan Moritz Lindemann wrote:
> I hadn't the time to take a look into your example but what you basically

Ported it to python's ECDSA an it still works:
https://j.ludost.net/tmp/ECDSA-py.py

> describe is not a malleability attack but an existential forgery attack.
> See https://en.wikipedia.org/wiki/Digital_signature_forgery
> This attack is well known in RSA where it is mitigated by using padding
> algorithms like RSA-PSS.
> To my knowledge existential forgery is not possible with ECDSA.
> 

These signatures are like the math RSA forgery:  sign the H coming
from the hash function, not an actual message.



More information about the cryptography mailing list