Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 5824790 for ; Tue, 3 Nov 2015 20:37:57 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wm0-f53.google.com (mail-wm0-f53.google.com [74.125.82.53]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 52913FE for ; Tue, 3 Nov 2015 20:37:56 +0000 (UTC) Received: by wmeg8 with SMTP id g8so94576465wme.0 for ; Tue, 03 Nov 2015 12:37:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=g0OljsqJ6SA/jcnKky5lRj/+Vhx+CFb3KIr2+WIXmwk=; b=ehYgons0HzXBL9WlbUTsGRR68mpwzSCpWgSC/FgfVuzujdIGTMJbdcatS6RgJpsp1r fqCD1F834fa2Jx9kBvICg5ogR85UQT4rJx6NfJ5/tT/x11LWnax4yvjGUEjd9+nricrM Tx7X28S3RzNmXYILol84eGdnHr1862+5pUJ7mD0aS4Ppp+IHA4nRZHWK03yUEOI8HGeG z2GysxwUvuzvliYo5x1BRVGaCI5K4wRQFvbcYtsK3dJOT1HNoc9H+Vnx9fG0uG2Ugddl su4YLj2kwr/X95pPIa2qu+VXRmDAM7PKuDt2AZMFs4U0QiZ4X6BLyFBuetey56nLmo1H 98CA== X-Received: by 10.28.23.211 with SMTP id 202mr20795332wmx.81.1446583074749; Tue, 03 Nov 2015 12:37:54 -0800 (PST) MIME-Version: 1.0 References: <201510212320.31052.luke@dashjr.org> <201510220905.27124.luke@dashjr.org> In-Reply-To: <201510220905.27124.luke@dashjr.org> From: Christian Decker Date: Tue, 03 Nov 2015 20:37:44 +0000 Message-ID: To: Luke Dashjr Content-Type: multipart/alternative; boundary=001a1147181a4f05570523a8de9c X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Bitcoin Dev Subject: Re: [bitcoin-dev] [BIP] Normalized transaction IDs X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Development Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Nov 2015 20:37:57 -0000 --001a1147181a4f05570523a8de9c Content-Type: text/plain; charset=UTF-8 Ok, getting the ball rolling again after some downtime. I amended the proposal to use a simple version number instead of the binary flags, added the normalization of inputs before computing the signaturehash and added Schnorr signatures as requested. The BIP has also been assigned number 130 :-) I am still very much intrigued by Luke's idea of having empty scriptsigs and ship the signatures in external scripts, however the proposal uses the on-the-fly normalization because we have no good way of relaying the external scripts. Since we are still in the drafting phase I am open to suggestions and if there is a good/working solution I can amend/withdraw the proposal. As for open venues for malleability, I'm not sure we can fix them at all, after all the ability of a single signer to doublespend by appending/replacing inputs/outputs in an arbitrary fashion is not fixable IMHO and will cause any future transaction building on its outputs to be orphaned. What would the perfect properties for such a fix be? Regards, Christian On Thu, Oct 22, 2015 at 11:05 AM Luke Dashjr wrote: > On Thursday, October 22, 2015 8:26:58 AM Christian Decker wrote: > > I think the scenario of the single signer re-ordering the outputs and > > inputs and then re-signing the transaction is in the same category of > > simple double-spends. The signer could just as well sign a completely > > different transaction spending the same coins to somewhere else, so I > don't > > think there is a lot we can do about it even if we instate a canonical > > ordering. Even if we order the inputs and outputs the signer can just > add a > > new input and output and we would have a different transaction. > > > > Normalized transaction IDs do help in the case that the single signer > wants > > to immediately follow up its transaction with another transaction > spending > > the first one's change output, and it prevents any modification in the > > multi-signer scenario. > > Except that unlike malicious double spending, adding more outputs to > unconfirmed transactions is what wallets *should ideally be doing every > time > they send another transaction*. Spending unconfirmed change is the wrong > approach. So half-fixing malleability as this PR would, encourages > inefficient behaviour in multiple ways (first, by not making it > malleability- > safe; second, by encouraging spending unconfirmed change). > > Luke > --001a1147181a4f05570523a8de9c Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Ok, getting the ball rolling again after some downtime. I = amended the proposal to use a simple version number instead of the binary f= lags, added the normalization of inputs before computing the signaturehash = and added Schnorr signatures as requested.

The BIP has a= lso been assigned number 130 :-)

I am still very m= uch intrigued by Luke's idea of having empty scriptsigs and ship the si= gnatures in external scripts, however the proposal uses the on-the-fly norm= alization because we have no good way of relaying the external scripts. Sin= ce we are still in the drafting phase I am open to suggestions and if there= is a good/working solution I can amend/withdraw the proposal.
As for open venues for malleability, I'm not sure we can f= ix them at all, after all the ability of a single signer to doublespend by = appending/replacing inputs/outputs in an arbitrary fashion is not fixable I= MHO and will cause any future transaction building on its outputs to be orp= haned. What would the perfect properties for such a fix be?

<= /div>
Regards,
Christian

On Thu, Oct 22, 2015 at 11:05 AM Luke Dashjr <luke@dashjr.org> wrote:
On Thursday, October 22, 2015 8:26:58 AM Christian Deck= er wrote:
> I think the scenario of the single signer re-ordering the outputs and<= br> > inputs and then re-signing the transaction is in the same category of<= br> > simple double-spends. The signer could just as well sign a completely<= br> > different transaction spending the same coins to somewhere else, so I = don't
> think there is a lot we can do about it even if we instate a canonical=
> ordering. Even if we order the inputs and outputs the signer can just = add a
> new input and output and we would have a different transaction.
>
> Normalized transaction IDs do help in the case that the single signer = wants
> to immediately follow up its transaction with another transaction spen= ding
> the first one's change output, and it prevents any modification in= the
> multi-signer scenario.

Except that unlike malicious double spending, adding more outputs to
unconfirmed transactions is what wallets *should ideally be doing every tim= e
they send another transaction*. Spending unconfirmed change is the wrong approach. So half-fixing malleability as this PR would, encourages
inefficient behaviour in multiple ways (first, by not making it malleabilit= y-
safe; second, by encouraging spending unconfirmed change).

Luke
--001a1147181a4f05570523a8de9c--