[Cryptography] In ECDSA, without knowing priv. key and any signature one can sign random garbage
Georgi Guninski
guninski at guninski.com
Fri Mar 10 03:16:06 EST 2017
On Wed, Mar 08, 2017 at 04:35:39PM +0100, Jan Moritz Lindemann wrote:
> I hadn't the time to take a look into your example but what you basically
Ported it to python's ECDSA an it still works:
https://j.ludost.net/tmp/ECDSA-py.py
> describe is not a malleability attack but an existential forgery attack.
> See https://en.wikipedia.org/wiki/Digital_signature_forgery
> This attack is well known in RSA where it is mitigated by using padding
> algorithms like RSA-PSS.
> To my knowledge existential forgery is not possible with ECDSA.
>
These signatures are like the math RSA forgery: sign the H coming
from the hash function, not an actual message.
More information about the cryptography
mailing list