1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192]
helo=mx.sourceforge.net)
by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <pieter.wuille@gmail.com>) id 1YIn3Q-0003QP-VP
for bitcoin-development@lists.sourceforge.net;
Tue, 03 Feb 2015 23:38:48 +0000
Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of gmail.com
designates 209.85.213.179 as permitted sender)
client-ip=209.85.213.179; envelope-from=pieter.wuille@gmail.com;
helo=mail-ig0-f179.google.com;
Received: from mail-ig0-f179.google.com ([209.85.213.179])
by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1YIn3Q-0004uY-5p
for bitcoin-development@lists.sourceforge.net;
Tue, 03 Feb 2015 23:38:48 +0000
Received: by mail-ig0-f179.google.com with SMTP id l13so204532iga.0
for <bitcoin-development@lists.sourceforge.net>;
Tue, 03 Feb 2015 15:38:42 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.107.3.36 with SMTP id 36mr31071772iod.92.1423006722880; Tue,
03 Feb 2015 15:38:42 -0800 (PST)
Received: by 10.50.20.229 with HTTP; Tue, 3 Feb 2015 15:38:42 -0800 (PST)
In-Reply-To: <CAPg+sBi8_wQj1ZGWUPQ4rRmuPKt3=OY6HcRZmVLqGMeLNwhpPQ@mail.gmail.com>
References: <CAPg+sBhk7F2OHT64i2LNSjv8DR5tD3RJkLJGzPGZW8OPQTCjQw@mail.gmail.com>
<87egqnwt7g.fsf@rustcorp.com.au>
<CAPg+sBjQAi_hCcoV0gecVQAd4PYKzRd5F_nymz8UVt9BFg8O2Q@mail.gmail.com>
<CAAS2fgQjTq1M6fF5KDiZ-qBrCWjs9z5VKtj-c1ghRfDeK6iyPA@mail.gmail.com>
<CAPg+sBjjYLf4NZ8ezK7ML_OO-e6C8_V1i12AXejjrgp+wFB-pg@mail.gmail.com>
<CA+s+GJDcyEqAm4bwCJsgDQiT14kZiLzmwOgLn-oC_SHZTg7sew@mail.gmail.com>
<CAPg+sBi8_wQj1ZGWUPQ4rRmuPKt3=OY6HcRZmVLqGMeLNwhpPQ@mail.gmail.com>
Date: Tue, 3 Feb 2015 15:38:42 -0800
Message-ID: <CAPg+sBiU14fsJ24Sf3apaLffnZuD3Y+pFdz8A7jH50Pg-fD+5w@mail.gmail.com>
From: Pieter Wuille <pieter.wuille@gmail.com>
To: Wladimir <laanwj@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
X-Spam-Score: -1.6 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(pieter.wuille[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1YIn3Q-0004uY-5p
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] [softfork proposal] Strict DER signatures
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Tue, 03 Feb 2015 23:38:49 -0000
On Tue, Feb 3, 2015 at 10:15 AM, Pieter Wuille <pieter.wuille@gmail.com> wrote:
>>> The much simpler alternative is just adding this to BIP66's DERSIG
>>> right now, which is a one-line change that's obviously softforking. Is
>>> anyone opposed to doing so at this stage?
I'm retracting this proposed change.
Suhar Daftuas pointed out that there remain edge-cases which are not
covered (a 33-byte R or S whose first byte is not a zero). The intent
here is really making sure that signature validation and parsing can
be entirely separated, and that signature checking itself does not
need a third return value ("invalid encoding", in addition to "valid
signature" and "invalid signature"). If we don't want to make
assumptions about how that implementation works, the only guaranteed
way of doing that is requiring that R and S are in fact within the
range allowed by secp256k1, which would require an integer decoder
inside the signature encoding checker. I consider that to be
unreasonable.
In addition, a much cleaner solution that covers this as well has
already been proposed: only allow 0 (the empty byte vector) as invalid
signature. That would 100% align signature validity with decoding, and
is much simpler to implement.
--
Pieter
|
