0

I am curious why equations for signing/validating with ECDSA have forms they have. Is it possible to use simpler equation that have same properties.

For example, this is an equation I found in the book on Bitcoin:

$$ s = (z + re)/k $$ where,

$r = x\_coordinate\_of(k \cdot G)$,

$e$ - private key,

$z$ - message hash,

$k$ - random number,

$(s, r)$ - signature

What is interesting is that original paper for ECDSA uses a little bit different formula:

$$ s = k / (z + re) $$

Question

But is it possible to use something even simpler? For example:

$$ s = k/ze $$

And then we can check on validation that next equation holds:

$$ s \cdot z \cdot P = r, $$ where $P = e \cdot G$ is public key.

Why do we need to incorporate $r$ in the formula? And why it should be incorporated via addition, but not multiplication, for example?

Serzh Nechyporchuk
  • 9
  • 1

1 Answers1

3

The issue here is that knowledge of the private key would not be necessary to produce signatures. In other words, forgeries would be trivial to produce.

If the verification process is $$\mathrm{x\_coordinate}(szP)=r$$ then I can simply choose any value of $s$, compute the RHS and claim that as the $r$ value for my signature. Note that knowledge of $e$ was not used.

Similarly, if the verification process is $$\mathrm{x\_coordinate}(srzP)=r$$ I can choose any value of $t$, compute $tzP$ and select the $x$-coordinate for $r$ then set $s=t/r$.

By not including both $G$ and $P$ in the verification process, you essentially remove any dependence on $e$. Similar issues arise with the curveball vulnerability.

Daniel S
  • 23,716
  • 1
  • 29
  • 67