For arbitrary message, is empty signature valid for empty public key?

[ChihChengLiang]

What is wrong?

To py_ecc, if you sign a message with an empty public key and an empty signature, it verifies True. That seems wrong.

In [10]: from py_ecc.bls import verify

In [11]: verify(b'\x56'*32, b'\xc0'+ b'\x00'*47, b'\xc0'+ b'\x00'*95, 0)
Out[11]: True

Arguments to return True

• It is a valid behavior for the pairing function
• It is just a special case of rogue key attack, we don't let validator input public key anyway.

Arguments to return False

• It's a scary gotcha to let an arbitrary message to be verified True, if not handled carefully.
• In other libraries like BLS Chia, this is not allowed.

How can it be fixed

[ChihChengLiang]

Add explicit test to confirm this behavior for now.

[pipermerriam]

Sounds like a good case for default behavior being for it to return False but to potentially allow this behavior via an explicit flag since it is valid behavior for the cryptography.

[ChihChengLiang]

Discussed with @vbuterin yesterday. The conclusion was to accept the behavior for the time being since there might be more degenerate cases popping up in the future.

What do you think adding the flag in wrappers in the Trinity or eth_keys and keeping the logic simple in py_ecc?

cc @carver

[pipermerriam]

What do you think adding the flag in wrappers in the Trinity or eth_keys and keeping the logic simple in py_ecc?

I can get onboard with this. Need to get eth-keys up-to-date with BLS signatures and it seems appropriate for it to house the higher level APIs.