Valid signature rejection not that negligible and possibly exploitable

[veorq]

crypto.signature.signature.verify() rejects signatures with an r, inverse s, or message (hash) greater than 2**251 < EC_ORDER:

cairo-lang/src/starkware/crypto/starkware/crypto/signature/signature.py

Lines 199 to 201 in 4e23351

	assert 1 <= r < 2 ** N_ELEMENT_BITS_ECDSA, "r = %s" % r
	assert 1 <= w < 2 ** N_ELEMENT_BITS_ECDSA, "w = %s" % w
	assert 0 <= msg_hash < 2 ** N_ELEMENT_BITS_ECDSA, "msg_hash = %s" % msg_hash

There's a gap of ~2^196 values, thus a probability to hit an invalid r or s that is of the order of 2^(196-251)/2 = 2^-54, when generating an ECDSA sig for some fixed message using a standard algorithm (rather than Cairo's sign(), which enforces these constraints).

I can't think of a specific attack scenario at the moment, but I would expect to find applications where either

1. that accidental failure rate would be unacceptably high, or
2. adversaries could bruteforce invalid sigs to do some kind of DoS, or worse (with plausible deniability)

I probably miss some of the context, and you may have a good reason to verify sigs that way.

[veorq]

Any thoughts on this?

[JameWade]

Why is there no official reply to this question?I think is a good question