summaryrefslogtreecommitdiff
path: root/2d/82f27ed519a1b0ca3b717cdd81ee3794729a0a
blob: 6514f5f2843af6ccda3ea2bd8235aebca8ea4683 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194]
	helo=mx.sourceforge.net)
	by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <etotheipi@gmail.com>) id 1WDcZv-0006Nh-2k
	for bitcoin-development@lists.sourceforge.net;
	Wed, 12 Feb 2014 16:22:27 +0000
Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmail.com
	designates 209.85.216.176 as permitted sender)
	client-ip=209.85.216.176; envelope-from=etotheipi@gmail.com;
	helo=mail-qc0-f176.google.com; 
Received: from mail-qc0-f176.google.com ([209.85.216.176])
	by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
	(Exim 4.76) id 1WDcZt-0000KY-LL
	for bitcoin-development@lists.sourceforge.net;
	Wed, 12 Feb 2014 16:22:27 +0000
Received: by mail-qc0-f176.google.com with SMTP id e16so15528115qcx.21
	for <bitcoin-development@lists.sourceforge.net>;
	Wed, 12 Feb 2014 08:22:20 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.140.82.175 with SMTP id h44mr65656537qgd.68.1392222140044;
	Wed, 12 Feb 2014 08:22:20 -0800 (PST)
Received: by 10.229.66.67 with HTTP; Wed, 12 Feb 2014 08:22:19 -0800 (PST)
Received: by 10.229.66.67 with HTTP; Wed, 12 Feb 2014 08:22:19 -0800 (PST)
In-Reply-To: <CAH2=CKzNGN7mpe1NLtsLRNSszSD2ZNwjoAsaH40EvGtA5ezDeQ@mail.gmail.com>
References: <CAPg+sBgPG+2AMbEHSRQNFn6FikbRzxkWduj5MSZLz-O6Wh940w@mail.gmail.com>
	<20140210030048.GB31925@savin>
	<CAH2=CKzNGN7mpe1NLtsLRNSszSD2ZNwjoAsaH40EvGtA5ezDeQ@mail.gmail.com>
Date: Wed, 12 Feb 2014 11:22:19 -0500
Message-ID: <CALf2ePyDTZ_43uBfS9-5znhTyBR-5H10SpZ=N-z1DBacM_rDgA@mail.gmail.com>
From: Alan Reiner <etotheipi@gmail.com>
To: =?ISO-8859-1?Q?Rune_Kj=E6r_Svendsen?= <runesvend@gmail.com>
Content-Type: multipart/alternative; boundary=001a11c129ca1b316404f237fa46
X-Spam-Score: -0.6 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
	sender-domain
	0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
	(etotheipi[at]gmail.com)
	-0.0 SPF_PASS               SPF: sender matches SPF record
	1.0 HTML_MESSAGE           BODY: HTML included in message
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1WDcZt-0000KY-LL
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] [RFC] [BIP proposal] Dealing with
	malleability
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Wed, 12 Feb 2014 16:22:27 -0000

--001a11c129ca1b316404f237fa46
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

I think the solution is simply to encourage Bitcoin software developers to
design their software to use this static ID, instead of the full
transaction hash.    If MtGox had talked those IDs instead of the TX ID,
their software would've correctly identified the mutated transactions and
there would be  no problem.

Armory is slightly different, since it doesn't deal with the same stuff as
exchanges do.  But it didn't have any problems with malleability because it
doesn't track anything by ID, it only pays attention to whether inputs and
outputs are related to your wallets.  It's not necessarily hard to do it
this way, people just have to be aware of it.

-Alan

Sent from my overpriced smartphone
On Feb 12, 2014 10:15 AM, "Rune Kj=E6r Svendsen" <runesvend@gmail.com> wrot=
e:

> Instead of trying to remove the possibility of transaction
> malleability, would it make sense to define a new, "canonical
> transaction hash/ID" (cTxID), which would be a hash of the part of the
> transaction data which we know is not malleable, and have clients use
> this cTxID internally, thus making the traditional transaction hash
> irrelevant for a client to function correctly?
>
> We already have a non-malleable transaction hash: the hash that is
> signed, ie. the transaction with each scriptSig replaced by the
> scriptPubKey it redeems. This could be the cTxID.
>
> Or is this simply a too fundamental change to the way bitcoin-qt (and
> all other clients) work in order to be feasible?
>
> As far as I can see, it completely solves the issue of not having a
> canonical ID for a transaction, but it also increases the
> computational requirements for a node. For one, as far as I can see,
> it requires the node to index all transactions, because in order to
> calculate a cTxID, it would be necessary to fetch all transactions
> referred to by the transaction in question, in order to pull in the
> scriptPubKeys that are redeemed.
>
>
> On Mon, Feb 10, 2014 at 4:00 AM, Peter Todd <pete@petertodd.org> wrote:
> > On Mon, Feb 10, 2014 at 12:33:02AM +0100, Pieter Wuille wrote:
> >> Hello all,
> >>
> >> it was something I planned to do since a long time, but with the
> >> recent related issues popping up, I finally got around to writing a
> >> BIP about how we can get rid of transaction malleability over time.
> >>
> >> The proposed document is here: https://gist.github.com/sipa/8907691
> >>
> >> I expect most rules to not be controversial. Maybe rules 1 and 3, as
> >> they require modifications to wallet software (Bitcoin Core 0.9 and
> >> BitcoinJ already implement it, though) and potentially invalidate some
> >> script functionality. However, these new rules remain optional and
> >> controlled by an nVersion increase.
> >>
> >> Comments please!
> >
> > You should probably add making CHECKMULTISIG require the dummy value to
> > be exactly equal to OP_FALSE; verifying that in the transaction itself =
is
> > laborious. A more subtle example is we may want both CHECKSIG and
> > CHECKMULTISIG to fail the transaction if the signature is invalid but
> > not exactly equal to OP_FALSE; some transaction forms are significantly
> > more compact if you can have failed signatures, but that's a source of
> > malleability. (are there counter examples people can think of?)
> >
> >
> > But as I said on IRC, I'm a bit hesitant to bake in assumptions about
> > malleability when we have no solid idea if ECC signatures are or are no=
t
> > malleable on a fundemental level; if "whack-a-mole" anti-malleability i=
s
> > all we've got it could be ugly if a break is found. Similarly, we may
> > find we missed something, or some needed change makes the malleability
> > rules difficult to work with for some new script type that is required.
> >
> > I'd rather see a new CHECKSIG mode for the case where malleability
> > absolutely must be eliminated - certain multi-party protocols - and fix
> > wallet software instead. (the malleability problems people see are
> > closely related to inability to handle double-spends and reorgs) But I
> > can easily see that being an impossible goal engineering wise...
> >
> > --
> > 'peter'[:-1]@petertodd.org
> > 0000000000000001465bc2730ffed7493d166d18d288f6cf15e8cdb5d4a3c7b1
> >
> >
> -------------------------------------------------------------------------=
-----
> > Managing the Performance of Cloud-Based Applications
> > Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> > Read the Whitepaper.
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=3D121051231&iu=3D/4140/ostg=
.clktrk
> > _______________________________________________
> > Bitcoin-development mailing list
> > Bitcoin-development@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/bitcoin-development
> >
>
>
> -------------------------------------------------------------------------=
-----
> Android apps run on BlackBerry 10
> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> Now with support for Jelly Bean, Bluetooth, Mapview and more.
> Get your Android app in front of a whole new audience.  Start now.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=3D124407151&iu=3D/4140/ostg=
.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>

--001a11c129ca1b316404f237fa46
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<p dir=3D"ltr">I think the solution is simply to encourage Bitcoin software=
 developers to design their software to use this static ID, instead of the =
full transaction hash.=A0=A0=A0 If MtGox had talked those IDs instead of th=
e TX ID, their software would&#39;ve correctly identified the mutated trans=
actions and there would be=A0 no problem.=A0=A0 </p>

<p dir=3D"ltr">Armory is slightly different, since it doesn&#39;t deal with=
 the same stuff as exchanges do.=A0 But it didn&#39;t have any problems wit=
h malleability because it doesn&#39;t track anything by ID, it only pays at=
tention to whether inputs and outputs are related to your wallets.=A0 It&#3=
9;s not necessarily hard to do it this way, people just have to be aware of=
 it. </p>

<p dir=3D"ltr">-Alan </p>
<p dir=3D"ltr">Sent from my overpriced smartphone </p>
<div class=3D"gmail_quote">On Feb 12, 2014 10:15 AM, &quot;Rune Kj=E6r Sven=
dsen&quot; &lt;<a href=3D"mailto:runesvend@gmail.com">runesvend@gmail.com</=
a>&gt; wrote:<br type=3D"attribution"><blockquote class=3D"gmail_quote" sty=
le=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Instead of trying to remove the possibility of transaction<br>
malleability, would it make sense to define a new, &quot;canonical<br>
transaction hash/ID&quot; (cTxID), which would be a hash of the part of the=
<br>
transaction data which we know is not malleable, and have clients use<br>
this cTxID internally, thus making the traditional transaction hash<br>
irrelevant for a client to function correctly?<br>
<br>
We already have a non-malleable transaction hash: the hash that is<br>
signed, ie. the transaction with each scriptSig replaced by the<br>
scriptPubKey it redeems. This could be the cTxID.<br>
<br>
Or is this simply a too fundamental change to the way bitcoin-qt (and<br>
all other clients) work in order to be feasible?<br>
<br>
As far as I can see, it completely solves the issue of not having a<br>
canonical ID for a transaction, but it also increases the<br>
computational requirements for a node. For one, as far as I can see,<br>
it requires the node to index all transactions, because in order to<br>
calculate a cTxID, it would be necessary to fetch all transactions<br>
referred to by the transaction in question, in order to pull in the<br>
scriptPubKeys that are redeemed.<br>
<br>
<br>
On Mon, Feb 10, 2014 at 4:00 AM, Peter Todd &lt;<a href=3D"mailto:pete@pete=
rtodd.org">pete@petertodd.org</a>&gt; wrote:<br>
&gt; On Mon, Feb 10, 2014 at 12:33:02AM +0100, Pieter Wuille wrote:<br>
&gt;&gt; Hello all,<br>
&gt;&gt;<br>
&gt;&gt; it was something I planned to do since a long time, but with the<b=
r>
&gt;&gt; recent related issues popping up, I finally got around to writing =
a<br>
&gt;&gt; BIP about how we can get rid of transaction malleability over time=
.<br>
&gt;&gt;<br>
&gt;&gt; The proposed document is here: <a href=3D"https://gist.github.com/=
sipa/8907691" target=3D"_blank">https://gist.github.com/sipa/8907691</a><br=
>
&gt;&gt;<br>
&gt;&gt; I expect most rules to not be controversial. Maybe rules 1 and 3, =
as<br>
&gt;&gt; they require modifications to wallet software (Bitcoin Core 0.9 an=
d<br>
&gt;&gt; BitcoinJ already implement it, though) and potentially invalidate =
some<br>
&gt;&gt; script functionality. However, these new rules remain optional and=
<br>
&gt;&gt; controlled by an nVersion increase.<br>
&gt;&gt;<br>
&gt;&gt; Comments please!<br>
&gt;<br>
&gt; You should probably add making CHECKMULTISIG require the dummy value t=
o<br>
&gt; be exactly equal to OP_FALSE; verifying that in the transaction itself=
 is<br>
&gt; laborious. A more subtle example is we may want both CHECKSIG and<br>
&gt; CHECKMULTISIG to fail the transaction if the signature is invalid but<=
br>
&gt; not exactly equal to OP_FALSE; some transaction forms are significantl=
y<br>
&gt; more compact if you can have failed signatures, but that&#39;s a sourc=
e of<br>
&gt; malleability. (are there counter examples people can think of?)<br>
&gt;<br>
&gt;<br>
&gt; But as I said on IRC, I&#39;m a bit hesitant to bake in assumptions ab=
out<br>
&gt; malleability when we have no solid idea if ECC signatures are or are n=
ot<br>
&gt; malleable on a fundemental level; if &quot;whack-a-mole&quot; anti-mal=
leability is<br>
&gt; all we&#39;ve got it could be ugly if a break is found. Similarly, we =
may<br>
&gt; find we missed something, or some needed change makes the malleability=
<br>
&gt; rules difficult to work with for some new script type that is required=
.<br>
&gt;<br>
&gt; I&#39;d rather see a new CHECKSIG mode for the case where malleability=
<br>
&gt; absolutely must be eliminated - certain multi-party protocols - and fi=
x<br>
&gt; wallet software instead. (the malleability problems people see are<br>
&gt; closely related to inability to handle double-spends and reorgs) But I=
<br>
&gt; can easily see that being an impossible goal engineering wise...<br>
&gt;<br>
&gt; --<br>
&gt; &#39;peter&#39;[:-1]@<a href=3D"http://petertodd.org" target=3D"_blank=
">petertodd.org</a><br>
&gt; 0000000000000001465bc2730ffed7493d166d18d288f6cf15e8cdb5d4a3c7b1<br>
&gt;<br>
&gt; ----------------------------------------------------------------------=
--------<br>
&gt; Managing the Performance of Cloud-Based Applications<br>
&gt; Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.=
<br>
&gt; Read the Whitepaper.<br>
&gt; <a href=3D"http://pubads.g.doubleclick.net/gampad/clk?id=3D121051231&a=
mp;iu=3D/4140/ostg.clktrk" target=3D"_blank">http://pubads.g.doubleclick.ne=
t/gampad/clk?id=3D121051231&amp;iu=3D/4140/ostg.clktrk</a><br>
&gt; _______________________________________________<br>
&gt; Bitcoin-development mailing list<br>
&gt; <a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-d=
evelopment@lists.sourceforge.net</a><br>
&gt; <a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-develo=
pment" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitco=
in-development</a><br>
&gt;<br>
<br>
---------------------------------------------------------------------------=
---<br>
Android apps run on BlackBerry 10<br>
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.<br>
Now with support for Jelly Bean, Bluetooth, Mapview and more.<br>
Get your Android app in front of a whole new audience. =A0Start now.<br>
<a href=3D"http://pubads.g.doubleclick.net/gampad/clk?id=3D124407151&amp;iu=
=3D/4140/ostg.clktrk" target=3D"_blank">http://pubads.g.doubleclick.net/gam=
pad/clk?id=3D124407151&amp;iu=3D/4140/ostg.clktrk</a><br>
_______________________________________________<br>
Bitcoin-development mailing list<br>
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
pment@lists.sourceforge.net</a><br>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment</a><br>
</blockquote></div>

--001a11c129ca1b316404f237fa46--