Comment by some_furry
Comment by some_furry 4 hours ago
In addition to the malleability attack (high-S and low-S both being valid for a given value of R), ECDSA doesn't provide a property called exclusive ownership: https://soatok.blog/2023/04/03/asymmetric-cryptographic-comm...
In contrast, EdDSA (which is based on Schorr signatures) does, by construction: the public key is included in one of the hashes, which binds the signature to a particular public key.
I haven't investigated whether cryptocurrency's use of Schnorr satisfies this property or not. (Indeed, I do not care about cryptocurrency at all.) So it's an exercise to the reader if it's satisfactory or not :3
Excellent blog by the way. I esp. love the humility - advanced concepts about cryptogtaphy then I see an article for new people about how to get into tech. Keeping the ladder out, so to speak.