Author: Aaron Voisine 2014-07-19 08:34:13
Published on: 2014-07-19T08:34:13+00:00
The conversation is between Aaron Voisine and Gregory Maxwell regarding the properties of the DSA nonce. Maxwell explains that an attacker can refuse to follow the protocol unless prevented. While a user can specify to use derandomized DSA, there is no reasonable way to prove that a particular nonce generation scheme is being used without revealing the private key in the process. Since the verifier cannot know the nonce, or else he could recover the private key, it cannot control how a DSA nonce was generated in the verifier in a way that would prevent equivalent but not identical signatures. Voisine suggests creating a transaction with a different signature hash by changing something trivial like nLockTime, or changing the order of inputs or outputs. However, this does not address the issue at hand. As Maxwell points out, specifying a deterministic signer alone would not prevent someone from grinding signatures to improve their mining odds. Although there are signature systems that are naturally randomness-free such as hash-based signatures and pairing short signatures, DSA, Schnorr, or any of their derivatives are not.
Updated on: 2023-06-09T01:18:18.588970+00:00