zolfa
/
tendermint
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 221 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8922 Commits
183 Branches
291 MiB
Tree: ae5f98881b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ae5f98881b'
${ noResults }
tendermint/docs/architecture/adr-014-secp-malleability.md

63 lines
2.8 KiB
Raw Normal View History

ADR: Fix malleability problems in Secp256k1 signatures Previously you could not assume that your transaction hash would appear on chain.
6 years ago
(squash this) improve grammar.
6 years ago
ADR: Fix malleability problems in Secp256k1 signatures Previously you could not assume that your transaction hash would appear on chain.
6 years ago
lint markdown docs using a stop-words and write-good linters (#2195) * lint docs with write-good, stop-words * remove package-lock.json * update changelog * fix wrong paragraph formatting * fix some docs formatting * fix docs format * fix abci spec format
6 years ago
(squash this) Mixed up field element and curve element. Idea still stands.
6 years ago
ADR: Fix malleability problems in Secp256k1 signatures Previously you could not assume that your transaction hash would appear on chain.
6 years ago
lint markdown docs using a stop-words and write-good linters (#2195) * lint docs with write-good, stop-words * remove package-lock.json * update changelog * fix wrong paragraph formatting * fix some docs formatting * fix docs format * fix abci spec format
6 years ago
(squash this) improve grammar.
6 years ago
(squash this) Mixed up field element and curve element. Idea still stands.
6 years ago
ADR: Fix malleability problems in Secp256k1 signatures Previously you could not assume that your transaction hash would appear on chain.
6 years ago
lint markdown docs using a stop-words and write-good linters (#2195) * lint docs with write-good, stop-words * remove package-lock.json * update changelog * fix wrong paragraph formatting * fix some docs formatting * fix docs format * fix abci spec format
6 years ago
(squash this) Mixed up field element and curve element. Idea still stands.
6 years ago
lint markdown docs using a stop-words and write-good linters (#2195) * lint docs with write-good, stop-words * remove package-lock.json * update changelog * fix wrong paragraph formatting * fix some docs formatting * fix docs format * fix abci spec format
6 years ago
(squash this) Mixed up field element and curve element. Idea still stands.
6 years ago
ADR: Fix malleability problems in Secp256k1 signatures Previously you could not assume that your transaction hash would appear on chain.
6 years ago
(squash this) indicate what Ethereum does
6 years ago
ADR: Fix malleability problems in Secp256k1 signatures Previously you could not assume that your transaction hash would appear on chain.
6 years ago
Fix some broken links (#5261) ## Description Fix a bunch of old and broken links in markdown files.
4 years ago
ADR: Fix malleability problems in Secp256k1 signatures Previously you could not assume that your transaction hash would appear on chain.
6 years ago
crypto/secp256k1: Fix signature malleability, adopt more efficient en… (#2239) * crypto/secp256k1: Fix signature malleability, adopt more efficient encoding This removes signature malleability per ADR 14, and makes secp match the encoding in ADR 15. * (squash this) add lock
6 years ago
ADR: Fix malleability problems in Secp256k1 signatures Previously you could not assume that your transaction hash would appear on chain.
6 years ago
lint markdown docs using a stop-words and write-good linters (#2195) * lint docs with write-good, stop-words * remove package-lock.json * update changelog * fix wrong paragraph formatting * fix some docs formatting * fix docs format * fix abci spec format
6 years ago
ADR: Fix malleability problems in Secp256k1 signatures Previously you could not assume that your transaction hash would appear on chain.
6 years ago
lint markdown docs using a stop-words and write-good linters (#2195) * lint docs with write-good, stop-words * remove package-lock.json * update changelog * fix wrong paragraph formatting * fix some docs formatting * fix docs format * fix abci spec format
6 years ago
ADR: Fix malleability problems in Secp256k1 signatures Previously you could not assume that your transaction hash would appear on chain.
6 years ago
 
  1. # ADR 014: Secp256k1 Signature Malleability

  2. 

  3. ## Context

  4. 

  5. Secp256k1 has two layers of malleability.
  6. The signer has a random nonce, and thus can produce many different valid signatures.
  7. This ADR is not concerned with that.
  8. The second layer of malleability basically allows one who is given a signature
  9. to produce exactly one more valid signature for the same message from the same public key.
  10. (They don't even have to know the message!)
  11. The math behind this will be explained in the subsequent section.
  12. 

  13. Note that in many downstream applications, signatures will appear in a transaction, and therefore in the tx hash.
  14. This means that if someone broadcasts a transaction with secp256k1 signature, the signature can be altered into the other form by anyone in the p2p network.
  15. Thus the tx hash will change, and this altered tx hash may be committed instead.
  16. This breaks the assumption that you can broadcast a valid transaction and just wait for its hash to be included on chain.
  17. One example is if you are broadcasting a tx in cosmos,
  18. and you wait for it to appear on chain before incrementing your sequence number.
  19. You may never increment your sequence number if a different tx hash got committed.
  20. Removing this second layer of signature malleability concerns could ease downstream development.
  21. 

  22. ### ECDSA context

  23. 

  24. Secp256k1 is ECDSA over a particular curve.
  25. The signature is of the form `(r, s)`, where `s` is a field element.
  26. (The particular field is the `Z_n`, where the elliptic curve has order `n`)
  27. However `(r, -s)` is also another valid solution.
  28. Note that anyone can negate a group element, and therefore can get this second signature.
  29. 

  30. ## Decision

  31. 

  32. We can just distinguish a canonical form for the ECDSA signatures.
  33. Then we require that all ECDSA signatures be in the form which we defined as canonical.
  34. We reject signatures in non-canonical form.
  35. 

  36. A canonical form is rather easy to define and check.
  37. It would just be the smaller of the two values for `s`, defined lexicographically.
  38. This is a simple check, instead of checking if `s < n`, instead check `s <= (n - 1)/2`.
  39. An example of another cryptosystem using this
  40. is the parity definition here https://github.com/zkcrypto/pairing/pull/30#issuecomment-372910663.
  41. 

  42. This is the same solution Ethereum has chosen for solving secp malleability.
  43. 

  44. ## Proposed Implementation

  45. 

  46. Fork https://github.com/btcsuite/btcd, and just update the [parse sig method](https://github.com/btcsuite/btcd/blob/11fcd83963ab0ecd1b84b429b1efc1d2cdc6d5c5/btcec/signature.go#L195) and serialize functions to enforce our canonical form.
  47. 

  48. ## Status

  49. 

  50. Implemented
  51. 

  52. ## Consequences

  53. 

  54. ### Positive

  55. 

  56. - Lets us maintain the ability to expect a tx hash to appear in the blockchain.
  57. 

  58. ### Negative

  59. 

  60. - More work in all future implementations (Though this is a very simple check)
  61. - Requires us to maintain another fork
  62. 

  63. ### Neutral