2

What are the characteristics of the ideal digital signature for cryptocurrency transaction verification?

The reason I ask is because this answer about bitcoin signatures describes a potential vulnerability which makes this particular use of ECDSA sub-optimal with a possible solution in the comments.

I understand that the ideal characteristics may be currently impossible, such as being collisionless, or even worse forever contradictory but would like to know to understand this particular application of digital signatures.

Community
  • 1

2 Answers2

2

The problem with ECDSA is not related to what is signed with ECDSA; the need for a thoroughly random k parameter for each signature applies regardless of whether the signature is for a crypto-currency or an email or a digital certificate or whatever.

ECDSA, as a digital signature scheme, is quite reasonable. It is efficient (faster than RSA), its signature are short (shorter than RSA), it has been studied for quite a long time. The need for randomness is an important issue, but solutions exist. In any case, it can be viewed as an implementation issue; and modern computers (including smartphones) have access to all the needed randomness. If only the code is written properly.

Community
  • 1
Tom Leek
  • 168,808
  • 28
  • 337
  • 475
0

Just respect the requirements in the ECDSA and everything will be fine. Using RSA for signatures would be fine too.

That particular case that you pointed, by reusing the random number in the transaction the attacker is able to recover the private key just by solving

Key=((r * modpow((s1 - s2), p - 2, p) * ((m1 * s2) - (m2 * s1)) % p

Example attack:

R=6819641642398093696120236467967538361543858578256722584730163952555838220871
S1=5111069398017465712735164463809304352000044522184731945150717785434666956473
M1=4834837306435966184874350434501389872155834069808640791394730023708942795899
S2=31133511789966193434473156682648022965280901634950536313584626906865295404159
M2=108808786585075507407446857551522706228868950080801424952567576192808212665067

Gives the result 35027840177330064405683178523079910253772859809146826320797401203281604260438

Which represents the key for 1FaapwdwYVVBiV6Qvkis88c2KHPoxX1Jb1

References

https://strm.sh/post/bitcoin-transaction-nonce-reuse/

schroeder
  • 123,438
  • 55
  • 284
  • 319
OPSXCQ
  • 336
  • 1
  • 5