📅 Original date posted:2014-12-21 📝 Original message:On 20 December 2014 at ...

Adam Back [ARCHIVE] /

npub1ac8…swfj

2023-06-07 15:27:57

in reply to nevent1q…efzs

📅 Original date posted:2014-12-21
📝 Original message:On 20 December 2014 at 14:48, Peter Todd <pete at petertodd.org> wrote:
> We need the following primitives operating on message m, pubkey p, and a
> valid signature sig1 for m, p:
>
> AntiReplaySign(m, p, sig1) -> sig2
> VerifyAntiReplaySig(m, p, sig2) -> True or False
>
> Additionally once AntiReplaySign() has been used once for a given pubkey
> it is impossible to re-run the primitive on a different message m'. This
> is of course impossible to implement with math alone, but we can
> implement it with a trusted third party.

Well while you cant prevent it you could render it insecure enabling
miners to take funds.

That could work via a one-show signature; normal ECDSA being address
a=H(Q), public key Q=dG, R=kG, r=R.x, s=(H(m)+rd)/k, signature (r,s),
verify: a=?H(Q) and sR=?H(m)G+rQ one-show being: a=H(Q,R), verify
being: a=?H(Q,R) and sR=?H(m)G+rQ. Now that is unsafe to double-spend
by design as only that specific R is usable and as we know reusing R
with different messages leaks the private key because: s=(H(m)+rd)/k
and s'=(H(m')+rd)/k implies sk=H(m)+rd and s'k=H(m')+rd so
k=(H(m)-H(m'))/(s'-s), and d=(sk-H(m))/r.

Adam

Author Public Key

npub1ac86vemj7ce5z8jyxt39rna3tvwql6xd30ha3vxcd6esysp23d9qrlswfj

Seen on

wss://relay.noswhere.com

Show more details

Published at

2023-06-07 15:27:57

Kind type

1 Short Text Note

Event JSON

{ "id": "c44b34e5b2cfd498731708a50d0f0814302d50cfab175afedcc9b5ac8cf5ff12", "pubkey": "ee0fa66772f633411e4432e251cfb15b1c0fe8cd8befd8b0d86eb302402a8b4a", "created_at": 1686151677, "kind": 1, "tags": [ [ "e", "532643ab636282d2be72721b5eff937f83665d34cc3162895b83b1c3a3745bf8", "", "root" ], [ "e", "32722bf6a95d0c0b1737eeda0f95bdc7186d65f781d583750a6b976441c359d5", "", "reply" ], [ "p", "daa2fc676a25e3b5b45644540bcbd1e1168b111427cd0e3cf19c56194fb231aa" ] ], "content": "📅 Original date posted:2014-12-21\n📝 Original message:On 20 December 2014 at 14:48, Peter Todd \u003cpete at petertodd.org\u003e wrote:\n\u003e We need the following primitives operating on message m, pubkey p, and a\n\u003e valid signature sig1 for m, p:\n\u003e\n\u003e AntiReplaySign(m, p, sig1) -\u003e sig2\n\u003e VerifyAntiReplaySig(m, p, sig2) -\u003e True or False\n\u003e\n\u003e Additionally once AntiReplaySign() has been used once for a given pubkey\n\u003e it is impossible to re-run the primitive on a different message m'. This\n\u003e is of course impossible to implement with math alone, but we can\n\u003e implement it with a trusted third party.\n\nWell while you cant prevent it you could render it insecure enabling\nminers to take funds.\n\nThat could work via a one-show signature; normal ECDSA being address\na=H(Q), public key Q=dG, R=kG, r=R.x, s=(H(m)+rd)/k, signature (r,s),\nverify: a=?H(Q) and sR=?H(m)G+rQ one-show being: a=H(Q,R), verify\nbeing: a=?H(Q,R) and sR=?H(m)G+rQ. Now that is unsafe to double-spend\nby design as only that specific R is usable and as we know reusing R\nwith different messages leaks the private key because: s=(H(m)+rd)/k\nand s'=(H(m')+rd)/k implies sk=H(m)+rd and s'k=H(m')+rd so\nk=(H(m)-H(m'))/(s'-s), and d=(sk-H(m))/r.\n\nAdam", "sig": "549c143636659ecd896b68501c47c2f22e629eca5ae6632c26af6ed3a177db1cd9b6b537062d6abdf8ea29f8f367bc10939cbc1ca2615af45ad386d1df8faa2c" }