You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There's a gap of ~2^196 values, thus a probability to hit an invalid r or s that is of the order of 2^(196-251)/2 = 2^-54, when generating an ECDSA sig for some fixed message using a standard algorithm (rather than Cairo's sign(), which enforces these constraints).
I can't think of a specific attack scenario at the moment, but I would expect to find applications where either
that accidental failure rate would be unacceptably high, or
adversaries could bruteforce invalid sigs to do some kind of DoS, or worse (with plausible deniability)
I probably miss some of the context, and you may have a good reason to verify sigs that way.
The text was updated successfully, but these errors were encountered:
crypto.signature.signature.verify()
rejects signatures with anr
, inverses
, or message (hash) greater than2**251 < EC_ORDER
:cairo-lang/src/starkware/crypto/starkware/crypto/signature/signature.py
Lines 199 to 201 in 4e23351
There's a gap of ~2^196 values, thus a probability to hit an invalid
r
ors
that is of the order of 2^(196-251)/2 = 2^-54, when generating an ECDSA sig for some fixed message using a standard algorithm (rather than Cairo'ssign()
, which enforces these constraints).I can't think of a specific attack scenario at the moment, but I would expect to find applications where either
I probably miss some of the context, and you may have a good reason to verify sigs that way.
The text was updated successfully, but these errors were encountered: