KasparEtter
commented
3 years ago Update after some further research: The STANDARD_SCRIPT_VERIFY_FLAGS include SCRIPT_VERIFY_LOW_S, which causes the Script interpreter to require a low s value when enabled. This does make signatures with a high s value non-standard. In order to prevent malleability attacks, however, it would have to be enforced as a consensus rule. "Removes ECDSA malleability: low s values enforced." should not be attributed to BIP 66 and changed to something like "High s values are non-standard (i.e. not relayed by others).".
You write at https://teachbitcoin.io/presentations/ecdsa.html#/2 that low s values are enforced. As far as I know, this is not the case. BIP 62 was withdrawn, and BIP 66 specifies only the encoding of the elements without restricting their values. libsecp256k1 generates signatures with a low s value, but this doesn't make it an enforced consensus rule. And since SegWit, signature malleability no longer matters anyway.