Hacker News new | past | comments | ask | show | jobs | submit login

>It is, but some libraries do not perform this check. Including TweetNaCl if I recall correctly.

I'm not sure why TweetNaCl is even considered a serious crypto library. I guess that it can fit in tweets, but this is an optimization that is at best irrelevant at worst a bad software engineering practice.

Re malleability: instead of just thinking about this issue in an abstract way, I recommend writing an exploit. For example, Tink doesn't check R or A at all, try to see if you can produce a new signature from an existing one by modifying R or A as you said.




> Re malleability: instead of just thinking about this issue in an abstract way, I recommend writing an exploit.

Challenge accepted! Hmm, doesn't work. Let me think a bit more abou— <facepalm>

Of course: I totally forgot that h is a hash of R and A, not just the message. So if I change them in any way, h's main factor will change unpredictably, and the signature will fail. Looks like the only malleability left is `s`, and that has nothing to do with the cofactor. Let's take the whole section down.

Lesson learned: I should test my writings like I test my code.

---

If I may, you should have lead with "If R or A is changed, h will change." I let myself get worked up by your first comment¹, and failed to notice the single most important sentence near the bottom. I ended up having to reach the same conclusion independently. I almost missed my error.

[1]: You didn't address me directly, and you didn't start with my error. Regardless of your intentions, that felt mildly confrontational. Being nicer would have been more effective.


> I'm not sure why TweetNaCl is even considered a serious crypto library.

Probably because its authors are all big-name people and their paper says:

> We have placed TweetNaCl into the public ___domain, and we encourage applications to make use of it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: