Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1WDcpO-00039X-76 for bitcoin-development@lists.sourceforge.net; Wed, 12 Feb 2014 16:38:26 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmail.com designates 74.125.82.180 as permitted sender) client-ip=74.125.82.180; envelope-from=allen.piscitello@gmail.com; helo=mail-we0-f180.google.com; Received: from mail-we0-f180.google.com ([74.125.82.180]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1WDcpM-0000rw-F6 for bitcoin-development@lists.sourceforge.net; Wed, 12 Feb 2014 16:38:26 +0000 Received: by mail-we0-f180.google.com with SMTP id u57so6169048wes.39 for ; Wed, 12 Feb 2014 08:38:18 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.180.188.141 with SMTP id ga13mr2716771wic.55.1392223098342; Wed, 12 Feb 2014 08:38:18 -0800 (PST) Received: by 10.194.76.135 with HTTP; Wed, 12 Feb 2014 08:38:18 -0800 (PST) In-Reply-To: References: <20140210030048.GB31925@savin> Date: Wed, 12 Feb 2014 10:38:18 -0600 Message-ID: From: Allen Piscitello To: Alan Reiner Content-Type: multipart/alternative; boundary=001a11c37f5a39b17504f238334c X-Spam-Score: -0.6 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (allen.piscitello[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1WDcpM-0000rw-F6 Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] [RFC] [BIP proposal] Dealing with malleability X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Feb 2014 16:38:26 -0000 --001a11c37f5a39b17504f238334c Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable While that solution does work for many use cases, it does make it much harder to do anything needing chained transactions. Granted, this is the short term solution for current implementations, but having a transaction identifier that does not change does open up other use cases. For example, Alice wants to send coins to a multisignature address with Bob, such that both parties are required to spend the coins. Alice also requires for Bob to send coins to this address as well before they will proceed. Alice cannot guarantee that Bob will cooperate (and vice versa), so before she broadcasts the transaction to send to A+B, she sends Bob a transaction that spends her incoming transaction back to herself, but has a time lock of far into the future. Bob signs this, returns it to Alice, and she broadcasts her funding transaction. At this point, Bob disappears, loses his key, or just decides to spite Alice and her coins are locked. Since she has a refund transaction, she can broadcast it in a month and get her coins back. Except her funding transaction has been modified such that the txhash is different, so her refund is now invalid. She would need Bob to issue a new refund as soon as her funding transaction hits the blockchain if it is modified, which defeats the point of the trustless refund transaction. Longer term it would be more ideal have a canonical identifier for the transaction before it even gets to the chain to support these use cases, even if wallets are able to properly identify the status of it's transactions. Obviously this is a difficult problem to solve and cannot be implemented without breaking changes, but it would be a nice goal to be able to completely remove malleability. There are other important use cases where having a unique identifier just for internal accounting is insufficient. -Allen On Wed, Feb 12, 2014 at 10:22 AM, Alan Reiner wrote: > I think the solution is simply to encourage Bitcoin software developers t= o > design their software to use this static ID, instead of the full > transaction hash. If MtGox had talked those IDs instead of the TX ID, > their software would've correctly identified the mutated transactions and > there would be no problem. > > Armory is slightly different, since it doesn't deal with the same stuff a= s > exchanges do. But it didn't have any problems with malleability because = it > doesn't track anything by ID, it only pays attention to whether inputs an= d > outputs are related to your wallets. It's not necessarily hard to do it > this way, people just have to be aware of it. > > -Alan > > Sent from my overpriced smartphone > On Feb 12, 2014 10:15 AM, "Rune Kj=E6r Svendsen" > wrote: > >> Instead of trying to remove the possibility of transaction >> malleability, would it make sense to define a new, "canonical >> transaction hash/ID" (cTxID), which would be a hash of the part of the >> transaction data which we know is not malleable, and have clients use >> this cTxID internally, thus making the traditional transaction hash >> irrelevant for a client to function correctly? >> >> We already have a non-malleable transaction hash: the hash that is >> signed, ie. the transaction with each scriptSig replaced by the >> scriptPubKey it redeems. This could be the cTxID. >> >> Or is this simply a too fundamental change to the way bitcoin-qt (and >> all other clients) work in order to be feasible? >> >> As far as I can see, it completely solves the issue of not having a >> canonical ID for a transaction, but it also increases the >> computational requirements for a node. For one, as far as I can see, >> it requires the node to index all transactions, because in order to >> calculate a cTxID, it would be necessary to fetch all transactions >> referred to by the transaction in question, in order to pull in the >> scriptPubKeys that are redeemed. >> >> >> On Mon, Feb 10, 2014 at 4:00 AM, Peter Todd wrote: >> > On Mon, Feb 10, 2014 at 12:33:02AM +0100, Pieter Wuille wrote: >> >> Hello all, >> >> >> >> it was something I planned to do since a long time, but with the >> >> recent related issues popping up, I finally got around to writing a >> >> BIP about how we can get rid of transaction malleability over time. >> >> >> >> The proposed document is here: https://gist.github.com/sipa/8907691 >> >> >> >> I expect most rules to not be controversial. Maybe rules 1 and 3, as >> >> they require modifications to wallet software (Bitcoin Core 0.9 and >> >> BitcoinJ already implement it, though) and potentially invalidate som= e >> >> script functionality. However, these new rules remain optional and >> >> controlled by an nVersion increase. >> >> >> >> Comments please! >> > >> > You should probably add making CHECKMULTISIG require the dummy value t= o >> > be exactly equal to OP_FALSE; verifying that in the transaction itself >> is >> > laborious. A more subtle example is we may want both CHECKSIG and >> > CHECKMULTISIG to fail the transaction if the signature is invalid but >> > not exactly equal to OP_FALSE; some transaction forms are significantl= y >> > more compact if you can have failed signatures, but that's a source of >> > malleability. (are there counter examples people can think of?) >> > >> > >> > But as I said on IRC, I'm a bit hesitant to bake in assumptions about >> > malleability when we have no solid idea if ECC signatures are or are n= ot >> > malleable on a fundemental level; if "whack-a-mole" anti-malleability = is >> > all we've got it could be ugly if a break is found. Similarly, we may >> > find we missed something, or some needed change makes the malleability >> > rules difficult to work with for some new script type that is required= . >> > >> > I'd rather see a new CHECKSIG mode for the case where malleability >> > absolutely must be eliminated - certain multi-party protocols - and fi= x >> > wallet software instead. (the malleability problems people see are >> > closely related to inability to handle double-spends and reorgs) But I >> > can easily see that being an impossible goal engineering wise... >> > >> > -- >> > 'peter'[:-1]@petertodd.org >> > 0000000000000001465bc2730ffed7493d166d18d288f6cf15e8cdb5d4a3c7b1 >> > >> > >> ------------------------------------------------------------------------= ------ >> > Managing the Performance of Cloud-Based Applications >> > Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. >> > Read the Whitepaper. >> > >> http://pubads.g.doubleclick.net/gampad/clk?id=3D121051231&iu=3D/4140/ost= g.clktrk >> > _______________________________________________ >> > Bitcoin-development mailing list >> > Bitcoin-development@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/bitcoin-development >> > >> >> >> ------------------------------------------------------------------------= ------ >> Android apps run on BlackBerry 10 >> Introducing the new BlackBerry 10.2.1 Runtime for Android apps. >> Now with support for Jelly Bean, Bluetooth, Mapview and more. >> Get your Android app in front of a whole new audience. Start now. >> >> http://pubads.g.doubleclick.net/gampad/clk?id=3D124407151&iu=3D/4140/ost= g.clktrk >> _______________________________________________ >> Bitcoin-development mailing list >> Bitcoin-development@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/bitcoin-development >> > > > -------------------------------------------------------------------------= ----- > Android apps run on BlackBerry 10 > Introducing the new BlackBerry 10.2.1 Runtime for Android apps. > Now with support for Jelly Bean, Bluetooth, Mapview and more. > Get your Android app in front of a whole new audience. Start now. > > http://pubads.g.doubleclick.net/gampad/clk?id=3D124407151&iu=3D/4140/ostg= .clktrk > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > > --001a11c37f5a39b17504f238334c Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
While that solution does work for many use cases, it does = make it much harder to do anything needing chained transactions. =A0Granted= , this is the short term solution for current implementations, but having a= transaction identifier that does not change does open up other use cases. = =A0

For example, Alice wants to send coins to a multisignature a= ddress with Bob, such that both parties are required to spend the coins. = =A0Alice also requires for Bob to send coins to this address as well before= they will proceed. =A0Alice cannot guarantee that Bob will cooperate (and = vice versa), so before she broadcasts the transaction to send to A+B, she s= ends Bob a transaction that spends her incoming transaction back to herself= , but has a time lock of far into the future. =A0Bob signs this, returns it= to Alice, and she broadcasts her funding transaction. =A0At this point, Bo= b disappears, loses his key, or just decides to spite Alice and her coins a= re locked. =A0Since she has a refund transaction, she can broadcast it in a= month and get her coins back. =A0Except her funding transaction has been m= odified such that the txhash is different, so her refund is now invalid. = =A0She would need Bob to issue a new refund as soon as her funding transact= ion hits the blockchain if it is modified, which defeats the point of the t= rustless refund transaction.

Longer term it would be more ideal have a canonical ide= ntifier for the transaction before it even gets to the chain to support the= se use cases, even if wallets are able to properly identify the status of i= t's transactions. =A0Obviously this is a difficult problem to solve and= cannot be implemented without breaking changes, but it would be a nice goa= l to be able to completely remove malleability. =A0There are other importan= t use cases where having a unique identifier just for internal accounting i= s insufficient.

-Allen


On Wed, Feb 12, 2014 at 10:22 AM, Alan Reiner <= etotheipi@gmail.com> wrote:

I think the solution is simpl= y to encourage Bitcoin software developers to design their software to use = this static ID, instead of the full transaction hash.=A0=A0=A0 If MtGox had= talked those IDs instead of the TX ID, their software would've correct= ly identified the mutated transactions and there would be=A0 no problem.=A0= =A0

Armory is slightly different, since it doesn't deal with= the same stuff as exchanges do.=A0 But it didn't have any problems wit= h malleability because it doesn't track anything by ID, it only pays at= tention to whether inputs and outputs are related to your wallets.=A0 It= 9;s not necessarily hard to do it this way, people just have to be aware of= it.

-Alan

Sent from my overpriced smartphone

On Feb 12, 2014 10:15 AM, "Rune Kj=E6r Sven= dsen" <run= esvend@gmail.com> wrote:
Instead of trying to remove the possibility of transaction
malleability, would it make sense to define a new, "canonical
transaction hash/ID" (cTxID), which would be a hash of the part of the=
transaction data which we know is not malleable, and have clients use
this cTxID internally, thus making the traditional transaction hash
irrelevant for a client to function correctly?

We already have a non-malleable transaction hash: the hash that is
signed, ie. the transaction with each scriptSig replaced by the
scriptPubKey it redeems. This could be the cTxID.

Or is this simply a too fundamental change to the way bitcoin-qt (and
all other clients) work in order to be feasible?

As far as I can see, it completely solves the issue of not having a
canonical ID for a transaction, but it also increases the
computational requirements for a node. For one, as far as I can see,
it requires the node to index all transactions, because in order to
calculate a cTxID, it would be necessary to fetch all transactions
referred to by the transaction in question, in order to pull in the
scriptPubKeys that are redeemed.


On Mon, Feb 10, 2014 at 4:00 AM, Peter Todd <pete@petertodd.org> wrote:
> On Mon, Feb 10, 2014 at 12:33:02AM +0100, Pieter Wuille wrote:
>> Hello all,
>>
>> it was something I planned to do since a long time, but with the >> recent related issues popping up, I finally got around to writing = a
>> BIP about how we can get rid of transaction malleability over time= .
>>
>> The proposed document is here: https://gist.github.com/sipa/8907691 >>
>> I expect most rules to not be controversial. Maybe rules 1 and 3, = as
>> they require modifications to wallet software (Bitcoin Core 0.9 an= d
>> BitcoinJ already implement it, though) and potentially invalidate = some
>> script functionality. However, these new rules remain optional and=
>> controlled by an nVersion increase.
>>
>> Comments please!
>
> You should probably add making CHECKMULTISIG require the dummy value t= o
> be exactly equal to OP_FALSE; verifying that in the transaction itself= is
> laborious. A more subtle example is we may want both CHECKSIG and
> CHECKMULTISIG to fail the transaction if the signature is invalid but<= br> > not exactly equal to OP_FALSE; some transaction forms are significantl= y
> more compact if you can have failed signatures, but that's a sourc= e of
> malleability. (are there counter examples people can think of?)
>
>
> But as I said on IRC, I'm a bit hesitant to bake in assumptions ab= out
> malleability when we have no solid idea if ECC signatures are or are n= ot
> malleable on a fundemental level; if "whack-a-mole" anti-mal= leability is
> all we've got it could be ugly if a break is found. Similarly, we = may
> find we missed something, or some needed change makes the malleability=
> rules difficult to work with for some new script type that is required= .
>
> I'd rather see a new CHECKSIG mode for the case where malleability=
> absolutely must be eliminated - certain multi-party protocols - and fi= x
> wallet software instead. (the malleability problems people see are
> closely related to inability to handle double-spends and reorgs) But I=
> can easily see that being an impossible goal engineering wise...
>
> --
> 'peter'[:-1]@petertodd.org
> 0000000000000001465bc2730ffed7493d166d18d288f6cf15e8cdb5d4a3c7b1
>
> ----------------------------------------------------------------------= --------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.=
> Read the Whitepaper.
> http://pubads.g.doubleclick.ne= t/gampad/clk?id=3D121051231&iu=3D/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitco= in-development
>

---------------------------------------------------------------------------= ---
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience. =A0Start now.
http://pubads.g.doubleclick.net/gam= pad/clk?id=3D124407151&iu=3D/4140/ostg.clktrk
_______________________________________________
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-de= velopment

-----------------------------------------------------------= -------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience. =A0Start now.
http://pubads.g.doubleclick.net/gam= pad/clk?id=3D124407151&iu=3D/4140/ostg.clktrk
__________________= _____________________________
Bitcoin-development mailing list
Bitcoin-develo= pment@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-de= velopment


--001a11c37f5a39b17504f238334c--