twitchyliquid64
commented
2 years ago Possibly answering my own question: R is part of the hashing computation for k so attackers can't fuck with it without breaking the signature?
Closed twitchyliquid64 closed 2 years ago
twitchyliquid64
commented
2 years ago Possibly answering my own question: R is part of the hashing computation for k so attackers can't fuck with it without breaking the signature?
FiloSottile
commented
2 years ago Hi! That's a good question! Honestly generated signatures are not malleable because of two reasons:
R is hashed into k (not its canonical re-encoding)y coordinate between 2^255-19 and 2^255-1, or those with x equal to 0, and a honestly generated signature has negligible probability of generating such an R
Firstly, I apologize if this is a stupid question! I'm very much trying to learn but crypto implementation details are all very new.
Given knowledge of a valid signature + its message + the verification key, can an attacker produce a valid signature with a different bytewise encoding? (i.e. a digest over the message + signature would change)
I'm assuming honestly-generated signing/verification keys outside of attacker influence. EG: calling
GenerateKeyusingcrypto/ed25519.I was originally thinking the answer to this question would be 'no', but the zip 215 spec says that its not required that R be a canonical encoding. So couldn't an attacker represent R in a different encoding? (maybe finding such an encoding without knowledge of the signing key is infeasible?)