|
Title: Why does bitcoin manipulate the signature beyond ECDSA_do_sign? Post by: alkor on August 27, 2014, 03:40:12 PM I am looking at how Bitcoin signs transactions in the src/key.cpp file, in particular the RAII wrapper around the OpenSSL implementation of ECDSA.
In the function Code: bool CECKey::Sign(const uint256 &hash, std::vector<unsigned char>& vchSig) I see the regular call to ECDA which returns the signature in sig Code: ECDSA_SIG *sig = ECDSA_do_sign((unsigned char*)&hash, sizeof(hash), pkey); Code: BN_CTX *ctx = BN_CTX_new(); What purpose do these manipulations serve? If one were to remove that code snippet, would that invalidate the signature? Or would that leak information about the private key? Title: Re: Why does bitcoin manipulate the signature beyond ECDSA_do_sign? Post by: DeathAndTaxes on August 27, 2014, 04:17:40 PM There are two possible signatures for a given message and k value (nonce). This is due to the s value being a value over a finite field. The two values will have symmetry around a line drawn at half the domain order. If you have one an s value you can compute its reciprocal. One s value is always greater than half the domain order (hi) and the other is always less (lo). Since the signature is public knowledge and relayed from peer to peer any peer can mutate the txn by replacing the s value with its reciprocal.
To reduce malleability, the bitcoin protocol now considers only lo s values (those smaller than half the order parameter) as canonical signatures. Canonical signatures are relayed normally. Non-canonical signatures are still valid for now however most newer nodes however will not relay them, they will not be added to the memory pool, and miners (unless running custom software) will not include them in blocks. Non canonical signatures are still valid so if included in a block the block and txn will be accepted by the network. |