aboutsummaryrefslogtreecommitdiff
path: root/src/db.cpp
diff options
context:
space:
mode:
authorPieter Wuille <pieter.wuille@gmail.com>2012-12-26 21:10:49 +0100
committerPieter Wuille <pieterw@google.com>2013-08-16 00:17:50 +0200
commita81cd96805ce6b65cca3a40ebbd3b2eb428abb7b (patch)
tree6bd44b6534c2041f0728f8b985d7c766f85c41cb /src/db.cpp
parent4323bfeafda4a5e0101710d94b518d41819a2325 (diff)
Only create signatures with even S, and verification mode to check.
To fix a minor malleability found by Sergio Lerner (reported here: https://bitcointalk.org/index.php?topic=8392.msg1245898#msg1245898) The problem is that if (R,S) is a valid ECDSA signature for a given message and public key, (R,-S) is also valid. Modulo N (the order of the secp256k1 curve), this means that both (R,S) and (R,N-S) are valid. Given that N is odd, S and N-S have a different lowest bit. We solve the problem by forcing signatures to have an even S value, excluding one of the alternatives. This commit just changes the signing code to always produce even S values, and adds a verification mode to check it. This code is not enabled anywhere yet. Existing tests in key_tests.cpp verify that the produced signatures are still valid.
Diffstat (limited to 'src/db.cpp')
0 files changed, 0 insertions, 0 deletions