2
The recent problem with Android's SecureRandom PRNG once again shows that using (EC)DSA can go horribly wrong if the signature nonce is ever reused.
There is an elliptic curve signature scheme that doesn't share this property: Ed25519.
Is there a mechanism in the Bitcoin protocol to allow transition to a new address/signature format? Would there have to be a new opcode, or does OP_CHECKSIG already support different key types?
What would happen to clients that don't support a new key format, but receive transactions from such a new address/key? Would SPV clients trust a transaction that they can't verify themselves, or reject the block containing it as invalid?
In any case, the new format can only be used once (nearly) all clients support it, but could this be implemented at some point, and enabled some time later?
1
You're right, a message-derived nonce seems like a very good solution for the problem. I've just learned about http://tools.ietf.org/html/rfc6979, which seems to fix the problem for Bitcoin in a completely backwards-compatible way. Thanks for still explaining how an algorithm change would work!
– lxgr – 2013-08-23T20:18:05.9731Also, do note that if randomness generation is broken, then all new addresses are bad as well. With the nature of bitcoin being what it is, new addresses are generated almost as often as signatures - so making signatures deterministic just hides the bad randomness problem longer... – Nakedible – 2013-08-24T05:36:47.387
That's definitely true for bitcoind/bitcoin-qt. Seems like deterministic wallets would be unaffected, though. – lxgr – 2013-09-03T10:09:32.087