Closed ghost closed 6 years ago
Thanks, and you're absolutely correct.. it's a slip and we have it tracked within the Grin issues list here: https://github.com/mimblewimble/grin/issues/1358
But good job finding it independently. We really appreciate having more eyes on this code, so if you come across anything further please don't hesitate to let us know.
Hello.
I think there is a related-key attack in the way you produce Schnorr signatures.
https://github.com/mimblewimble/secp256k1-zkp/blob/7b7f3ec3f1fce7184bb79fea609e2b9f159c607e/src/modules/aggsig/main_impl.h#L49
sizeof(buf-1) = 8 sizeof(buf) - 1 = 32
so to my understanding you're copying only 8 bytes of the public key.
Therefore, if the signature (s, e) is verified by H( || sG - eX) = e for public key X = xG then, the signature (s+ev, e) is verified by H( || (s+ev)G - e(X+vG)) = e for public key X + vG for any v in \ZZ_p for which X + vG has the same leading 64 bits of X.
Am I doing something wrong in here? Could you help me understand?