Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1Z24YF-0001OG-60 for bitcoin-development@lists.sourceforge.net; Mon, 08 Jun 2015 21:25:47 +0000 Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.220.48 as permitted sender) client-ip=209.85.220.48; envelope-from=danny.thorpe@gmail.com; helo=mail-pa0-f48.google.com; Received: from mail-pa0-f48.google.com ([209.85.220.48]) by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1Z24YD-0002cV-RE for bitcoin-development@lists.sourceforge.net; Mon, 08 Jun 2015 21:25:47 +0000 Received: by padev16 with SMTP id ev16so48065445pad.0 for ; Mon, 08 Jun 2015 14:25:40 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.66.90.166 with SMTP id bx6mr32847715pab.76.1433798740128; Mon, 08 Jun 2015 14:25:40 -0700 (PDT) Received: by 10.70.13.133 with HTTP; Mon, 8 Jun 2015 14:25:40 -0700 (PDT) In-Reply-To: <87k2vhfnx9.fsf@rustcorp.com.au> References: <87k2vhfnx9.fsf@rustcorp.com.au> Date: Mon, 8 Jun 2015 14:25:40 -0700 Message-ID: From: Danny Thorpe To: Rusty Russell Content-Type: multipart/alternative; boundary=001a113838a895ba6705180848f4 X-Spam-Score: -0.6 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (danny.thorpe[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1Z24YD-0002cV-RE Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] [RFC] Canonical input and output ordering in transactions X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jun 2015 21:25:47 -0000 --001a113838a895ba6705180848f4 Content-Type: text/plain; charset=UTF-8 FWIW, The Open Assets colored coin protocol (CoinPrism) places special significance on the zeroth input and the position of the OP_RETURN colored coin marker output to distinguish colored coin issuance outputs from transfer outputs. Reordering the inputs or the outputs breaks the colored coin representation. Recommending sorting of the inputs and outputs as a best practice is fine (and better than random, IMO), but not as part of IsStandard() or consensus rules. There are cases where the order of the inputs and outputs is significant. -Danny On Fri, Jun 5, 2015 at 9:42 PM, Rusty Russell wrote: > Title: Canonical Input and Output Ordering > Author: Rusty Russell > Discussions-To: "Bitcoin Dev" > Status: Draft > Type: Standards Track > Created: 2015-06-06 > > Abstract > > This BIP provides a canonical ordering of inputs and outputs when > creating transactions. > > Motivation > > Most bitcoin wallet implementations randomize the outputs of > transactions they create to avoid trivial linkage analysis (especially > change outputs), however implementations have made mistakes in this area > in the past. > > Using a canonical ordering has the same effect, but is simpler, more > obvious if incorrect, and can eventually be enforced by IsStandard() and > even a soft-fork to enforce it. > > Specification > > Inputs should be ordered like so: > index (lower value first) > txid (little endian order, lower byte first) > > Outputs should be ordered like so: > amount (lower value first) > script (starting from first byte, lower byte first, shorter wins) > > Rationale > > Any single wallet is already free to implement this, but if other > wallets do not it would reduce privacy by making those transactions > stand out. Thus a BIP is appropriate, especially if this were to > become an IsStandard() rule once widely adopted. > > Because integers are fast to compare, they're sorted first, before the > lexographical ordering. > > The other input fields do not influence the sort order, as any valid > transactions cannot have two inputs with the same index and txid. > > Reference Implementation > > https://github.com/rustyrussell/bitcoin/tree/bip-in-out-ordering > > > ------------------------------------------------------------------------------ > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > --001a113838a895ba6705180848f4 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
FWIW, The Open Assets colored coin protocol (CoinPrism) pl= aces special significance on the zeroth input and the position of the OP_RE= TURN colored coin marker output to distinguish colored coin issuance output= s from transfer outputs. Reordering the inputs or the outputs breaks the co= lored coin representation.

Recommending sorting of the i= nputs and outputs as a best practice is fine (and better than random, IMO),= but not as part of IsStandard() or consensus rules.=C2=A0 There are cases = where the order of the inputs and outputs is significant.

-Danny

On Fri, Jun 5, 2015 at 9:42 PM, Rusty Russell &l= t;rusty@rustcorp= .com.au> wrote:
Title: Cano= nical Input and Output Ordering
Author: Rusty Russell <rusty@ru= stcorp.com.au>
Discussions-To: "Bitcoin Dev" <bitcoin-development@lists.sourceforge.net= >
Status: Draft
Type: Standards Track
Created: 2015-06-06

Abstract

This BIP provides a canonical ordering of inputs and outputs when
creating transactions.

Motivation

Most bitcoin wallet implementations randomize the outputs of
transactions they create to avoid trivial linkage analysis (especially
change outputs), however implementations have made mistakes in this area in the past.

Using a canonical ordering has the same effect, but is simpler, more
obvious if incorrect, and can eventually be enforced by IsStandard() and even a soft-fork to enforce it.

Specification

Inputs should be ordered like so:
=C2=A0 =C2=A0 =C2=A0 =C2=A0 index (lower value first)
=C2=A0 =C2=A0 =C2=A0 =C2=A0 txid (little endian order, lower byte first)
Outputs should be ordered like so:
=C2=A0 =C2=A0 =C2=A0 =C2=A0 amount (lower value first)
=C2=A0 =C2=A0 =C2=A0 =C2=A0 script (starting from first byte, lower byte fi= rst, shorter wins)

Rationale

Any single wallet is already free to implement this, but if other
wallets do not it would reduce privacy by making those transactions
stand out.=C2=A0 Thus a BIP is appropriate, especially if this were to
become an IsStandard() rule once widely adopted.

Because integers are fast to compare, they're sorted first, before the<= br> lexographical ordering.

The other input fields do not influence the sort order, as any valid
transactions cannot have two inputs with the same index and txid.

Reference Implementation

https://github.com/rustyrussell/bitcoin/tree/bip-in-out= -ordering

---------------------------------------------------------------------------= ---
_______________________________________________
Bitcoin-development mailing list
Bitcoin-develo= pment@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-de= velopment

--001a113838a895ba6705180848f4--