New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Further explanation on the security warning within PrehashVerifier
#1323
Comments
It's better explained here, perhaps: https://docs.rs/signature/latest/signature/trait.PrehashSignature.html Signature systems which leverage a message digest, such as those based on the Fiat-Shamir heuristic, are secure in the Random Oracle Model. Removing the random oracle from such systems is a catastrophic breakage. These systems are fundamentally challenge/response protocols made non-interactive by picking the challenge using a hash function. Allowing the signer to pick the challenge arbitrarily destroys the security of these systems, because it definitionally ceases to be a challenge at that point. There's an explanation of what this attack looks like when applied to ECDSA here: https://bitcoin.stackexchange.com/questions/81115/if-someone-wanted-to-pretend-to-be-satoshi-by-posting-a-fake-signature-to-defrau/81116#81116 |
Thanks a lot for your explanation/links and the fast answer! Summarizing my understanding for posterity (and I think we're good to close this issue!): if the verifier doesn't hash the message themselves, they open themselves to the following attack (picking ECDSA for this example):
For the signature to be valid we need Let's compute
We've shown |
Hello! I found the following security warning in the comment on top of
PrehashVerifier
:traits/signature/src/hazmat.rs
Lines 64 to 68 in 3be350f
I was wondering if it's possible to have more details on what this potential signature forgery attack is? Because it's defined on a trait rather than a concrete curve/signing algorithm, does it apply across the board? I'd be curious to know what the "system of linear equations" is in the case where a not-so-random digest is signed.
The text was updated successfully, but these errors were encountered: