Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1Z4K9V-0003G2-Ff for bitcoin-development@lists.sourceforge.net; Mon, 15 Jun 2015 02:29:33 +0000 Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of ozlabs.org designates 103.22.144.67 as permitted sender) client-ip=103.22.144.67; envelope-from=rusty@ozlabs.org; helo=ozlabs.org; Received: from ozlabs.org ([103.22.144.67]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.76) id 1Z4K9U-0004qQ-2U for bitcoin-development@lists.sourceforge.net; Mon, 15 Jun 2015 02:29:33 +0000 Received: by ozlabs.org (Postfix, from userid 1011) id 2DF3614027F; Mon, 15 Jun 2015 12:29:24 +1000 (AEST) From: Rusty Russell To: Gregory Maxwell In-Reply-To: References: <87k2vhfnx9.fsf@rustcorp.com.au> User-Agent: Notmuch/0.17 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-pc-linux-gnu) Date: Mon, 15 Jun 2015 11:59:11 +0930 Message-ID: <87r3pdembs.fsf@rustcorp.com.au> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -1.0 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.4 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.9 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1Z4K9U-0004qQ-2U Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] [RFC] Canonical input and output ordering in transactions X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jun 2015 02:29:33 -0000 Gregory Maxwell writes: > I'm not a great fan of this proposal for two reasons: The first is > that the strict ordering requirements is incompatible with future > soft-forks that may expose additional ordering constraints. Today we > have _SINGLE, which as noted this interacts with poorly, but there > have been other constraints proposed that this would also interact > with poorly. Yes, I hit this when I implemented an IsStandard change; upon input evaluation the scriptsigs which used _SINGLE get disregarded from ordering. > The second is that even absent consensus rules there may be invisible > constraints in systems-- e.g. hardware wallets that sign top down, I think that one's pretty easy to fix (and they should fix it anyway, to avoid leaking information due to ordering): they can receive an unordered tx and sign it as if it were ordered canonically. > or > future transaction covenants that have constraints about ordering, or > proof systems that use (yuck) midstate compression for efficiency. The softfork argument I find the most compelling, though it's tempting to argue that every ordering use (including SIGHASH_SINGLE) is likely a mistake. > I think perhaps the motivations here are understated. We have not seen > any massive deployments of accidentally broken ordering that I'm aware > of-- and an implementation that got this wrong in a harmful way would > likely make far more fatal mistakes (e.g. non random private keys). I was prompted to propose something by this: https://blog.blocktrail.com/2015/05/getting-your-change-in-order/ If that's the only one though, it's less compelling. > As an alternative to this proposal the ordering can be privately > derandomized in the same way DSA is, to avoid the need for an actual > number source. If getting the randomness right were really the only > motivation, I'd suggest we propose a simple derandomized randomization > algorithm--- e.g. take the order from (H(input ids||client secret)). > > I think there is actually an unstated motivation also driving this > (and the other) proposal related to collaborative transaction systems > like coinjoins or micropayment channels; where multiple clients need > to agree on the same ordering. Is this the case? If so we should > probably talk through some of the requirements there and see if there > isn't a better way to address it. Indeed. I was implementing deterministic permutations for lightning (signature exchange requires both sides agree on ordering). Cheers, Rusty.