Sophie SchmiegNew blog post: Recovering public keys from signatures. It turns out public keys, are, in fact, public.
https://keymaterial.net/2024/06/15/reconstructing-public-keys-from-signatures/
SpaceLifeFormWhich begs my question: Why is there such a push to create new public signing keys all of the time?
Are they just flat-out admitting that their security is so bad and the private key can be or was leaked?
It should not be leaked in the first place.
@SpaceLifeForm ?!? This post is about recovering public keys. A signature scheme that didn't keep it's private key secure would not be very useful now, would it?
Exactly. Why should the public key have to be recovered in the first place?
Shouldn't I be able to recover the public key from the private key anyway?
trystimuli@SpaceLifeForm
you have *just* a signature, no private key, no public key. you want to find the public key that goes with the signature.
you have *just* a signature, no private key, no public key. you want to find the public key that goes with the signature.
If I do not have the public key, then what good is the signature?
So, if I can derive the public key, and in theory, verify the signature, does this mean I know who created it and can be trusted?
@SpaceLifeForm i mean, sometimes people make protocols that assume that signatures can be sent without revealing the public key. and that’s true for some signature schemes and not for others.
for intentional use, suppose you have a key-value store where you can query by a signature on an item for a particular one, or by public key for the most recent items with matching signatures. if you query by a signature and don’t get any items, you could recover the public key and then query by that, and be assured that any results were signed with the same secret key.
i’m not sure what extent you mean “trusted”, but if you can recover a public key from a signature, you can at least trust that the secret key (that you presumably don’t know) corresponding to that public key is the one that produced the signature.
@tryst @SpaceLifeForm yeah, you can use this to verify signatures once you've reconstructed the public key. You'll need to trust the signatures you use for the reconstruction are valid, but after that you have just a normal public key.
You can also use this for example if you have a large collection of signed payloads, and want to know which payloads share the same sender, at least for the ECDSA case, where you only need a single signature.