Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1YIn3Q-0003QP-VP for bitcoin-development@lists.sourceforge.net; Tue, 03 Feb 2015 23:38:48 +0000 Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.213.179 as permitted sender) client-ip=209.85.213.179; envelope-from=pieter.wuille@gmail.com; helo=mail-ig0-f179.google.com; Received: from mail-ig0-f179.google.com ([209.85.213.179]) by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1YIn3Q-0004uY-5p for bitcoin-development@lists.sourceforge.net; Tue, 03 Feb 2015 23:38:48 +0000 Received: by mail-ig0-f179.google.com with SMTP id l13so204532iga.0 for ; Tue, 03 Feb 2015 15:38:42 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.107.3.36 with SMTP id 36mr31071772iod.92.1423006722880; Tue, 03 Feb 2015 15:38:42 -0800 (PST) Received: by 10.50.20.229 with HTTP; Tue, 3 Feb 2015 15:38:42 -0800 (PST) In-Reply-To: References: <87egqnwt7g.fsf@rustcorp.com.au> Date: Tue, 3 Feb 2015 15:38:42 -0800 Message-ID: From: Pieter Wuille To: Wladimir Content-Type: text/plain; charset=ISO-8859-1 X-Spam-Score: -1.6 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (pieter.wuille[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1YIn3Q-0004uY-5p Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] [softfork proposal] Strict DER signatures X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2015 23:38:49 -0000 On Tue, Feb 3, 2015 at 10:15 AM, Pieter Wuille wrote: >>> The much simpler alternative is just adding this to BIP66's DERSIG >>> right now, which is a one-line change that's obviously softforking. Is >>> anyone opposed to doing so at this stage? I'm retracting this proposed change. Suhar Daftuas pointed out that there remain edge-cases which are not covered (a 33-byte R or S whose first byte is not a zero). The intent here is really making sure that signature validation and parsing can be entirely separated, and that signature checking itself does not need a third return value ("invalid encoding", in addition to "valid signature" and "invalid signature"). If we don't want to make assumptions about how that implementation works, the only guaranteed way of doing that is requiring that R and S are in fact within the range allowed by secp256k1, which would require an integer decoder inside the signature encoding checker. I consider that to be unreasonable. In addition, a much cleaner solution that covers this as well has already been proposed: only allow 0 (the empty byte vector) as invalid signature. That would 100% align signature validity with decoding, and is much simpler to implement. -- Pieter