Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id F28CFA58 for ; Fri, 2 Sep 2016 04:41:04 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from erelay3.ox.registrar-servers.com (erelay3.ox.registrar-servers.com [192.64.117.2]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 17BB4125 for ; Fri, 2 Sep 2016 04:41:02 +0000 (UTC) Received: from localhost (unknown [127.0.0.1]) by erelay1.ox.registrar-servers.com (Postfix) with ESMTP id 84F4A2207FD2 for ; Fri, 2 Sep 2016 04:41:01 +0000 (UTC) Received: from erelay1.ox.registrar-servers.com ([127.0.0.1]) by localhost (erelay.ox.registrar-servers.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Z0ZbzwPKduvS for ; Fri, 2 Sep 2016 00:40:58 -0400 (EDT) Received: from MTA-07.privateemail.com (unknown [10.20.150.170]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by erelay1.ox.registrar-servers.com (Postfix) with ESMTPS id 9FFB82208004 for ; Fri, 2 Sep 2016 00:40:58 -0400 (EDT) Received: from APP-06 (unknown [10.20.147.156]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by MTA-07.privateemail.com (Postfix) with ESMTPSA id 71FCF60032 for ; Fri, 2 Sep 2016 04:40:58 +0000 (UTC) Date: Fri, 2 Sep 2016 00:40:58 -0400 (EDT) From: Johnson Lau Reply-To: Johnson Lau To: bitcoin-dev@lists.linuxfoundation.org Message-ID: <1317364559.64256.1472791258452@privateemail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Priority: 3 Importance: Medium X-Mailer: Open-Xchange Mailer v7.8.1-Rev19 X-Originating-Client: open-xchange-appsuite X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [bitcoin-dev] New BIP: Dealing with dummy stack element malleability X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2016 04:41:05 -0000 https://github.com/bitcoin/bips/pull/440 https://github.com/bitcoin/bitcoin/pull/8636 This document specifies proposed changes to the Bitcoin transaction validity rules to fix the malleability of extra stack element for OP_CHECKMULTISIG and OP_CHECKMULTISIGVERIFY. The original plan was to do the LOW_S and NULLDUMMY (BIP146) together with segwit in 0.13.1. However, as we discovered some undocumented behavior in LOW_S, we may want to deploy the LOW_S softfork in a later release. https://github.com/bitcoin/bitcoin/pull/8533#issuecomment-243973512 I will edit the BIP146 later. BIP: ? Title: Dealing with dummy stack element malleability Author: Johnson Lau Status: Draft Type: Standards Track Created: 2016-09-02 Abstract This document specifies proposed changes to the Bitcoin transaction validity rules to fix the malleability of extra stack element for OP_CHECKMULTISIG and OP_CHECKMULTISIGVERIFY. Motivation Signature malleability refers to the ability of any relay node on the network to transform the signature in transactions, with no access to the relevant private keys required. For non-segregated witness transactions, signature malleability will change the txid and invalidate any unconfirmed child transactions. Although the txid of segregated witness (BIP141) transactions is not third party malleable, this malleability vector will change the wtxid and may reduce the efficiency of compact block relay (BIP152). A design flaw in OP_CHECKMULTISIG and OP_CHECKMULTISIGVERIFY makes them consuming an extra stack element ("dummy element") after signature validation. The dummy element is not inspected in any manner, and could be replaced by any value without invalidating the script. This document specifies a new rule to fix this signature malleability. Specification To fix the dummy element malleability, a new consensus rule ("NULLDUMMY") is deployed to require that the dummy element MUST be the empty byte array. Anything else makes the script evaluate to false immediately. The NULLDUMMY rule applies to OP_CHECKMULTISIG and OP_CHECKMULTISIGVERIFY in pre-segregated scripts, and also pay-to-witness-script-hash scripts described in BIP141. Deployment This BIP will be deployed by "version bits" BIP9 using the same parameters for BIP141 and BIP143, with the name "segwit" and using bit 1. For Bitcoin mainnet, the BIP9 starttime is midnight TBD UTC (Epoch timestamp TBD) and BIP9 timeout is midnight TBD UTC (Epoch timestamp TBD). For Bitcoin testnet, the BIP9 starttime is midnight 1 May 2016 UTC (Epoch timestamp 1462060800) and BIP9 timeout is midnight 1 May 2017 UTC (Epoch timestamp 1493596800). Compatibility The reference client has produced compatible signatures from the beginning, and the NULLDUMMY rule has been enforced as relay policy by the reference client since v0.10.0. There has been no transactions violating the requirement being added to the chain since at least August 2015. In addition, every non-compliant signature can trivially be converted into a compliant one, so there is no loss of functionality by this requirement. Implementation An implementation for the reference client is available at https://github.com/bitcoin/bitcoin/pull/8636 Acknowledgements This document is extracted from the previous BIP62 proposal, which was composed by Pieter Wuille and had input from various people. Copyright This document is placed in the public domain.