1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
Return-Path: <jl2012@xbt.hk>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 570CA8D9
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 16 Aug 2016 10:10:05 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from erelay3.ox.registrar-servers.com
(erelay3.ox.registrar-servers.com [192.64.117.2])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 42F3D79
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 16 Aug 2016 10:10:04 +0000 (UTC)
Received: from localhost (unknown [127.0.0.1])
by erelay1.ox.registrar-servers.com (Postfix) with ESMTP id
57B5D2207571 for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 16 Aug 2016 10:10:03 +0000 (UTC)
Received: from erelay1.ox.registrar-servers.com ([127.0.0.1])
by localhost (erelay.ox.registrar-servers.com [127.0.0.1]) (amavisd-new,
port 10024)
with LMTP id ti-VcQ0iV-4o for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 16 Aug 2016 06:10:01 -0400 (EDT)
Received: from MTA-07.privateemail.com (unknown [10.20.150.170])
(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by erelay1.ox.registrar-servers.com (Postfix) with ESMTPS id
88FD9220745B for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 16 Aug 2016 06:10:01 -0400 (EDT)
Received: from APP-06 (unknown [10.20.147.156])
(using TLSv1 with cipher AES256-SHA (256/256 bits))
(No client certificate requested)
by MTA-07.privateemail.com (Postfix) with ESMTPSA id 5C89B60032
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 16 Aug 2016 10:10:01 +0000 (UTC)
Date: Tue, 16 Aug 2016 06:10:01 -0400 (EDT)
From: Johnson Lau <jl2012@xbt.hk>
Reply-To: Johnson Lau <jl2012@xbt.hk>
To: bitcoin-dev@lists.linuxfoundation.org
Message-ID: <835406850.86951.1471342201363@privateemail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Priority: 3
Importance: Medium
X-Mailer: Open-Xchange Mailer v7.8.1-Rev18
X-Originating-Client: open-xchange-appsuite
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW
autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Subject: [bitcoin-dev] New BIP: Low S values signatures
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Aug 2016 10:10:05 -0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
As discussed in the 11 Aug 2016 IRC meeting (https://bitcoincore.org/en/meetings/2016/08/11/#softfork-to-make-low-s-required), a new BIP with implementation is prepared to make low S value signature as a consensus rule:
https://github.com/jl2012/bips/blob/biplows/bip-lows.mediawiki
https://github.com/bitcoin/bitcoin/pull/8514
The softfork is proposed to be deployed with segwit (BIP141), likely in v0.13.1
The text is copied below
BIP: ?
Title: Low S values signatures
Author: Pieter Wuille <pieter.wuille@gmail.com>
Johnson Lau <jl2012@xbt.hk>
Status: Draft
Type: Standards Track
Created: 2016-08-16
Abstract
This document specifies proposed changes to the Bitcoin transaction validity rules to restrict signatures to using low S values.
Motivation
ECDSA signatures are inherently malleable as taking the negative of the number S inside (modulo the curve order) does not invalidate it. This is a nuisance malleability vector as any relay node on the network may transform the signature, with no access to the relevant private keys required. For non-segregated witness transactions, this malleability will change the txid and invalidate any unconfirmed child transactions. Although the txid of segregated witness (BIP141) transactions is not third party malleable, this malleability vector will change the wtxid and may reduce the efficiency of compact block relay (BIP152).
To fix this malleability, we require that the S value inside ECDSA signatures is at most the curve order divided by 2 (essentially restricting this value to its lower half range). The value S in signatures must be between 0x1 and 0x7FFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 5D576E73 57A4501D DFE92F46 681B20A0 (inclusive). If S is too high, simply replace it by S' = 0xFFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141 - S.
Specification
Every signature passed to OP_CHECKSIG, OP_CHECKSIGVERIFY, OP_CHECKMULTISIG, or OP_CHECKMULTISIGVERIFY, to which ECDSA verification is applied, MUST use a S value between 0x1 and 0x7FFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 5D576E73 57A4501D DFE92F46 681B20A0 (inclusive) with strict DER encoding (see BIP66).
These operators all perform ECDSA verifications on pubkey/signature pairs, iterating from the top of the stack backwards. For each such verification, if the signature does not pass the IsLowDERSignature check, the entire script evaluates to false immediately. If the signature is valid DER with low S value, but does not pass ECDSA verification, opcode execution continues as it used to, causing opcode execution to stop and push false on the stack (but not immediately fail the script) in some cases, which potentially skips further signatures (and thus does not subject them to IsLowDERSignature).
Deployment
This BIP will be deployed by "version bits" BIP9 using the same parameters for BIP141 and BIP143, with the name "segwit" and using bit 1.
For Bitcoin mainnet, the BIP9 starttime will be midnight TBD UTC (Epoch timestamp TBD) and BIP9 timeout will be midnight TBD UTC (Epoch timestamp TBD).
For Bitcoin testnet, the BIP9 starttime will be midnight 1 May 2016 UTC (Epoch timestamp 1462060800) and BIP9 timeout will be midnight 1 May 2017 UTC (Epoch timestamp 1493596800).
Compatibility
The reference client has produced compatible signatures since v0.9.0, and the requirement to have low S value signatures has been enforced as a relay policy by the reference client since v0.11.1. As of August 2016, very few transactions violating the requirement are being added to the chain. In addition, every non-compliant signature can trivially be converted into a compliant one, so there is no loss of functionality by this requirement. This proposal has the added benefit of reducing transaction malleability.
Implementation
An implementation for the reference client is available at https://github.com/bitcoin/bitcoin/pull/8514
Acknowledgements
This document is extracted from the previous BIP62 proposal which had input from various people.
Copyright
This document is placed in the public domain.
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQGcBAEBCgAGBQJXsuZLAAoJEO6eVSA0viTSBkIL/RxdKYhfQUcXhWf3wPzJ2rSo
bhxoGOoswf5Npx1ybKvvTRf51IirgO9JkEl8hYfzLr9KSbfTxCKlr2Z/S+snFGDi
Q0bvVPcg8uoK1iBMrFmIqCi/0pW3/lnnpgqt+O5Jup+DfK4S1QbSVNff8uP7ZK9x
NcgXekAbad57JfZ7gki9aERRj4THliTFBlaKkWo4CP+AwCgtKP6BwWvJxnfGpCc5
Esb/7aFvB0OwTWC7bPdS/XSCChxEdK9n5U3LaUH5o1oMQQhaGVHqeR76Wuf2oDvY
YsXX0b1gttpSJhz00ifOhMf7PhFzQuNyI6gM6ee7kMXwHMlrmyvROQh009cUzKeZ
5m7QKiondMsCoyz0zYXncF/MlwoyI7y1M5pQEqF/CHI5yZGu2K3EeDQebEHDzIrd
RyI6j5BbjLQ4w+geswaxzRSJfkoaKTHdh8g49HL7Q7FUj551jExKA8ZM50SbfeRi
T4fAN8BTXWVpfHkeDYdM2fesaqmFuN9wg18/xwTWJA==
=GgxI
-----END PGP SIGNATURE-----
|