[cryptography] Bitcoin observation

Marsh Ray marsh at extendedsubset.com
Thu Jul 7 17:27:47 EDT 2011

On 07/07/2011 04:10 PM, Nico Williams wrote:
> In some (most?) public key cryptosystems it's possible to prove that a
> valid public key has a corresponding private key (that is, there
> exists a valid private key for which the given public key *is* the
> public key).  That's used for public key validation.  It's not
> possible, however, to prove that the private key still exists.

But is it possible to sneak in invalid keys? What if, say, in an RSA 
system you were to later reveal that modulus n was the product of more 
than two primes? (I forget the name of this attack.)

What if you did this after a long dependency chain of cleared 
transactions had built up on the security of this key?

Not saying that Bitcoin specifically is vulnerable here, just that there 
are usually several ways to poison the well on these interdependent systems.

Often the crypto is meant to defend against attackers with the expected 
motivations (e.g. double-spending the coins). The recent rise in 
sophisticated "for the lulz"-motivated attacks is likely to catch some 
systems off-guard.

- Marsh

More information about the cryptography mailing list