[Cryptography] EDSA signing: Can you have an old (v2) signing of v2 hash and v3 signing of hash v3 (that is prefix+SHA256(v2 hash) cause some attacks, like lenghth extension and so on?
Ondrej Mikle
ondrej.mikle at gmail.com
Fri Sep 23 20:59:39 EDT 2022
We have currenctly v2 signature scheme:
Take `hash_v2 = SHA256(binary_blob)` (blob has maximum size, fixed blob)
If we change the signing algorithm with the same keys to:
`hash_v3' = SHA256("Some_plaintext_prefix" + SHA256(hash_v2))
Which gives 2 signatures,
* ECDSA_v2 = secp256k1_sign(hash_v2)
* ECDSA_v3 = secp256k1_sign(hash_v3)
Both blob and prefix are plaintext.
Is it possible by some length extension or other attacks to malevolently
manipulate the singatures?
E.g. If we check that either ECDSA_v2 or ECDSA_v3 are valid over the same
`binary_blob`, would it allow any attacks?
Regards,
O.M.
More information about the cryptography
mailing list