Let's say you have a message pubkey M. It was calculated from issuer public key P1 and Bond message hash b1 as M = P1 * b1.
Now I'm an evil attacker and I want to create another pair P2, b2 that also results in M. What I can do I choose an arbitrary Bond message, calculate its hash b2 and then calculate P2 = M * b2-1. Obviously I don't have the corresponding private key but having a valid pair P2, b2 might be enough to cause problems
Whoever holds the private key for P
1 can easily calculate the private key for P
2. I haven't been following your scheme but I presume that's the issuer. If I catch on correctly then the issuer could misrepresent some information about the bond, saying that the issuer public key was actually P
2.
For those following along b-1 means the modular inverse of b, that is xb mod n = 1 where x is the solution and n is defined by secp256k1 as the prime in which all modular operations take place.
The "modular operations" use the prime p but for the above calculation you should use the group order n which is a somewhat smaller prime.
p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
I think you meant transaction hash not signature hash, right? I think the fact that the block chain is entirely self validating is pretty important though!
Yes that's what I meant. The block chain is still entirely self-validating if the transaction hash doesn't include the signature as long as you bother to store the signature. At the moment though you HAVE to store the signatures. Can anyone propose a remotely plausible scenario in which we would regret not hashing the signatures?
ByteCoin