Unfortunately, given the public’s limited of understanding of cryptography this is apparently an easy fraud to pull off.

The key trick is that non-technical people are prone to believe things that just sound jargony enough and that technical people tend to think they know a lot more than they actually do– and so they’re easily sent off into the weeds.

In cryptosystems the details are more important than you could possibly imagine. So all you have to do is make a forgery that works for a slightly modified cryptosystem and then lots of people who THINK they understand how ECDSA works will rush out to claim the result holds.

Most modifications that you can think of are sufficient to make the scheme insecure.

So, for example, a couple years ago Craig Wright claimed to ‘prove he was Satoshi’ by simply copying some pre-existing signatures out of the blockchain and posting somewhat obfuscated instructions on verifying them. It was figured out pretty quickly, but still managed to fool a lot of people– they were too caught up in the mumbojumbo to think of the obvious. The “modification” in this case was that the message the scammer was claiming to sign just has no relationship to the message that was actually signed.

More recently it appears that someone attempted something similar again, but this time with ‘signatures’ that weren’t from the blockchain… resulting in ‘verification’ from the developers of some BCH clients to an engineer at RedHat. But it turns out that, again, that the attempt was fake and people’s partial but incomplete understanding of crypto burned them.

As Bitcoin developer Pieter Wuille notes “ECDSA signatures where the message isn’t a hash and chosen by the “signer” are insecure.“– this time the scammer just published ‘hash’, r, s tuples. The hash part of ECDSA is integral to the algorithm. If the verifier doesn’t run the hash themselves, the security properties of ECDSA don’t hold and an existential forgery becomes trivial.

[This same vulnerability was baked into the original OP_DSV opcode in BCH– it originally didn’t hash the incoming data but left that up to the user– but I reported it and they appear to have fixed it before deploying it.]

If the verifier doesn’t perform the hash himself but just accepts a value given by the signer, he becomes susceptible to the following: Given public key P, pick random nonzero values a and b. Compute R=aG+bP. Now (R.x, R.x/b) is a valid signature under key P for “message-hash” (R.x*a/b).

This doesn’t compromise the security of real ECDSA because you cannot find a message that hashes to a chosen (R.x*a/b) value.

People should be wary of obfuscated or overly technical ‘proofs’, — things that look “like” a secure system but for some reason have people verifying it working with raw numbers or code. Well designed cryptographic software put in a lot of effort to avoid users being fooled by stunts like this. This stuff is tricky and anyone could be confused into accepting a false proof if they were convinced to effectively implement a bespoke cryptosystem themselves. A cryptosystem is not secure simply because you, personally, don’t see how to break it.

Here an an example Sage script to produce forgeries that will fool someone that accepts an ECDSA ‘signature’ without hashing the message themselves. It works with any EC key, including one that the forger hasn’t seen a signature from before.

C = EllipticCurve ([F (0), F (7)])
G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
N = FiniteField (C.order())
P = P=-C.lift_x(0x11db93e1dcdb8a016b49840f8c53bc1eb68a382e97b1482ecad7b148a6909a5c) # block 9 coinbase payout key.
def forge(c, a=-1):  # Create a forged 'ECDSA'  (hashless) signature
  # set a to something other than -1 to be less obvious
  a = N(a)
  R = c*G + int(a)*P
  s = N(int(R.xy()[0]))/a
  m = N(c)*N(int(R.xy()[0]))/a
  print 'hash1 = %d'%m
  print 'r1 = %d'%(int(R.xy()[0]))
  print 's1 = %d'%s 
for c in range(1,10):

This code produces fake forgeries of the sort that was used to trick people recently.

hash1 = 25292222169426362969760742810503101183086560848420849767135309758511048414376
r1 = 61518691557461623794232686914770715342344584505217074682876722883231084339701
s1 = 54273397679854571629338298093917192510492979773857829699728440258287077154636


Source link

By admin

Leave a Reply

Your email address will not be published. Required fields are marked *