[Crypto] handling of ecdsa signature malleability

[LanfordCai]

Flow is using ecdsa as signing algorithms(nistp256 and secp256k1). In ecdsa, the signature is in the form of (r, s), but there is a second valid signature (r, -s), which can be generated by using (r, s). One of the signatures' s-value is less than half of the curve order(aka, low-s signature), and the other one is not. For other blockchains like Bitcoin/Ethereum, they choose the low-s signature as the canonical one to prevent the problems caused by transaction malleability. But on Flow, both low-s form signature and high-s form signature are regarded as valid(check it here). The malleability of signature might cause transaction malleability problem on Flow(check it here).

I wrote a demo to show these problems here.

In my opinion:

• The inconsistency in the judgement criteria over the validity of signatures would cause inconvenience for the possible interoperation between Flow and other chains. This means certain signatures generated by Flow(i.e, high-s form) might be regarded as invalid on other mainstream blockchains(Bitcoin/Ethereum/Cosmos, etc), and high-s signatures that are invalid on other blockchains might be deemed as valid on Flow.
• There do exist transaction malleability problem on Flow.

Should we change this behavior?

[tarakby]

Hi @LanfordCai, thank you for submitting the issue and providing the demos 👌🏼 We have been looking at this flag since we received your question on Discord. We'll get back to you about transaction malleability soon with more details.