1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
|
Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
helo=mx.sourceforge.net)
by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <decker.christian@gmail.com>) id 1Yuctj-0001PC-1C
for bitcoin-development@lists.sourceforge.net;
Tue, 19 May 2015 08:29:11 +0000
Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of gmail.com
designates 209.85.215.43 as permitted sender)
client-ip=209.85.215.43;
envelope-from=decker.christian@gmail.com;
helo=mail-la0-f43.google.com;
Received: from mail-la0-f43.google.com ([209.85.215.43])
by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1Yucte-00046R-0q
for bitcoin-development@lists.sourceforge.net;
Tue, 19 May 2015 08:29:11 +0000
Received: by lagr1 with SMTP id r1so11810731lag.0
for <bitcoin-development@lists.sourceforge.net>;
Tue, 19 May 2015 01:28:59 -0700 (PDT)
X-Received: by 10.112.139.198 with SMTP id ra6mr3258249lbb.15.1432024139618;
Tue, 19 May 2015 01:28:59 -0700 (PDT)
MIME-Version: 1.0
References: <CALxbBHUnt7ToVK9reH6W6uT4HV=7NbxGHyNWWa-OEHg+Z1+qOg@mail.gmail.com>
<5555C26F.7080706@sky-ip.org>
<AC0B3BAC-0934-46A3-B29A-F74238616F72@gmail.com>
In-Reply-To: <AC0B3BAC-0934-46A3-B29A-F74238616F72@gmail.com>
From: Christian Decker <decker.christian@gmail.com>
Date: Tue, 19 May 2015 08:28:58 +0000
Message-ID: <CALxbBHXC=jc+7Vj-3-VT7kj-+V6ORdeJPr_G9ymOcJyFZ3hy=A@mail.gmail.com>
To: Stephen <stephencalebmorse@gmail.com>, "s7r@sky-ip.org" <s7r@sky-ip.org>
Content-Type: multipart/alternative; boundary=001a11c3474e26df3405166b1a4b
X-Spam-Score: -0.6 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(decker.christian[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
1.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1Yucte-00046R-0q
Cc: Bitcoin Development <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] [BIP] Normalized Transaction IDs
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Tue, 19 May 2015 08:29:11 -0000
--001a11c3474e26df3405166b1a4b
Content-Type: text/plain; charset=UTF-8
Thanks Stephen, I hadn't thought about BIP 34 and we need to address this
in both proposals. If we can avoid it I'd like not to have one transaction
hashed one way and other transactions in another way.
Since BIP 34 explicitly uses the scriptSig to make the coinbase transaction
unique, simply removing the scriptSig is not an option as it would
potentially cause collisions. I don't remember why the scriptSig was
chosen, but we also have the option of putting the blockchain height in the
sequence number of the coinbase input or the locktime of the transaction,
restoring the uniqueness constraint in normalized transaction IDs (for both
proposals). Is there a specific reason why that was not chosen at the time?
On Sat, May 16, 2015 at 5:58 AM Stephen <stephencalebmorse@gmail.com> wrote:
> We should make sure to consider how BIP34 affects normalized transaction
> ids, since the height of the block is included in the scriptSig ensuring
> that the txid will be different. We wouldn't want to enable replay attacks
> in the form of spending coinbase outputs in the same way they were spent
> from a previous block.
>
> So maybe normalized txids should strip the scriptSigs of all transactions
> except for coinbase transactions? This seems to make sense, since coinbase
> transactions are inherently not malleable anyway.
>
> Also, s7r linked to my 'Build your own nHashType' proposal (although V2 is
> here:
> https://github.com/scmorse/bitcoin-misc/blob/master/sighash_proposal_v2.md).
> I just wanted to add that I think even with normalized ids, it could still
> be useful to be able to apply these flags to choose which parts of the
> transaction become signed. I've also seen vague references to some kind of
> a merklized abstract syntax tree, but am not fully sure how that would
> work. Maybe someone on here could explain it?
>
> Best,
> Stephen
>
>
>
> > On May 15, 2015, at 5:54 AM, s7r <s7r@sky-ip.org> wrote:
> >
> > Hello,
> >
> > How will this exactly be safe against:
> > a) the malleability of the parent tx (2nd level malleability)
> > b) replays
> >
> > If you strip just the scriptSig of the input(s), the txid(s) can still
> > be mutated (with higher probability before it gets confirmed).
> >
> > If you strip both the scriptSig of the parent and the txid, nothing can
> > any longer be mutated but this is not safe against replays. This could
> > work if we were using only one scriptPubKey per tx. But this is not
> > enforced, and I don't think it's the proper way to do it.
> >
> > Something similar can be achieved if you would use a combination of
> > flags from here:
> >
> > https://github.com/scmorse/bitcoin-misc/blob/master/sighash_proposal.md
> >
> > But this has some issues too.
> >
> > I've read your draft but didn't understand how exactly will this prevent
> > normal malleability as we know it, second level malleability and replays
> > as well as how will we do the transition into mapping the txes in the
> > blockchain to normalized txids. Looking forward to read more on this
> > topic. Thanks for the brainstorming ;)
> >
> >
> >> On 5/13/2015 3:48 PM, Christian Decker wrote:
> >> Hi All,
> >>
> >> I'd like to propose a BIP to normalize transaction IDs in order to
> >> address transaction malleability and facilitate higher level protocols.
> >>
> >> The normalized transaction ID is an alias used in parallel to the
> >> current (legacy) transaction IDs to address outputs in transactions. It
> >> is calculated by removing (zeroing) the scriptSig before computing the
> >> hash, which ensures that only data whose integrity is also guaranteed by
> >> the signatures influences the hash. Thus if anything causes the
> >> normalized ID to change it automatically invalidates the signature. When
> >> validating a client supporting this BIP would use both the normalized tx
> >> ID as well as the legacy tx ID when validating transactions.
> >>
> >> The detailed writeup can be found
> >> here:
> https://github.com/cdecker/bips/blob/normalized-txid/bip-00nn.mediawiki.
> >>
> >> @gmaxwell: I'd like to request a BIP number, unless there is something
> >> really wrong with the proposal.
> >>
> >> In addition to being a simple alternative that solves transaction
> >> malleability it also hugely simplifies higher level protocols. We can
> >> now use template transactions upon which sequences of transactions can
> >> be built before signing them.
> >>
> >> I hesitated quite a while to propose it since it does require a hardfork
> >> (old clients would not find the prevTx identified by the normalized
> >> transaction ID and deem the spending transaction invalid), but it seems
> >> that hardforks are no longer the dreaded boogeyman nobody talks about.
> >> I left out the details of how the hardfork is to be done, as it does not
> >> really matter and we may have a good mechanism to apply a bunch of
> >> hardforks concurrently in the future.
> >>
> >> I'm sure it'll take time to implement and upgrade, but I think it would
> >> be a nice addition to the functionality and would solve a long standing
> >> problem :-)
> >>
> >> Please let me know what you think, the proposal is definitely not set in
> >> stone at this point and I'm sure we can improve it further.
> >>
> >> Regards,
> >> Christian
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> One dashboard for servers and applications across Physical-Virtual-Cloud
> >> Widest out-of-the-box monitoring support with 50+ applications
> >> Performance metrics, stats and reports that give you Actionable Insights
> >> Deep dive visibility with transaction tracing using APM Insight.
> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> >>
> >>
> >>
> >> _______________________________________________
> >> Bitcoin-development mailing list
> >> Bitcoin-development@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
> >
> >
> ------------------------------------------------------------------------------
> > One dashboard for servers and applications across Physical-Virtual-Cloud
> > Widest out-of-the-box monitoring support with 50+ applications
> > Performance metrics, stats and reports that give you Actionable Insights
> > Deep dive visibility with transaction tracing using APM Insight.
> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> > _______________________________________________
> > Bitcoin-development mailing list
> > Bitcoin-development@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
--001a11c3474e26df3405166b1a4b
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><span style=3D"font-size:13.1999998092651px;line-height:19=
.7999992370605px">Thanks Stephen, I hadn't thought about BIP 34 and we =
need to address this in both proposals.=C2=A0</span><span style=3D"font-siz=
e:13.1999998092651px;line-height:19.7999992370605px">If we can avoid it I&#=
39;d like not to have one transaction hashed one way and other transactions=
in another way.</span><div><span style=3D"font-size:13.1999998092651px;lin=
e-height:19.7999992370605px"><br></span></div><div><span style=3D"font-size=
:13.1999998092651px;line-height:19.7999992370605px">Since BIP 34 explicitly=
uses the scriptSig to make the coinbase transaction unique, simply removin=
g the scriptSig is not an option as it would potentially cause collisions. =
I don't remember why the scriptSig was chosen, but we also have the opt=
ion of putting the blockchain height in the sequence number of the coinbase=
input or the locktime of the transaction, restoring the uniqueness constra=
int in normalized transaction IDs (for both proposals). Is there a specific=
reason why that was not chosen at the time?<br></span><br><div class=3D"gm=
ail_quote">On Sat, May 16, 2015 at 5:58 AM Stephen <<a href=3D"mailto:st=
ephencalebmorse@gmail.com">stephencalebmorse@gmail.com</a>> wrote:<br><b=
lockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px =
#ccc solid;padding-left:1ex">We should make sure to consider how BIP34 affe=
cts normalized transaction ids, since the height of the block is included i=
n the scriptSig ensuring that the txid will be different. We wouldn't w=
ant to enable replay attacks in the form of spending coinbase outputs in th=
e same way they were spent from a previous block.<br>
<br>
So maybe normalized txids should strip the scriptSigs of all transactions e=
xcept for coinbase transactions? This seems to make sense, since coinbase t=
ransactions are inherently not malleable anyway.<br>
<br>
Also, s7r linked to my 'Build your own nHashType' proposal (althoug=
h V2 is here: <a href=3D"https://github.com/scmorse/bitcoin-misc/blob/maste=
r/sighash_proposal_v2.md" target=3D"_blank">https://github.com/scmorse/bitc=
oin-misc/blob/master/sighash_proposal_v2.md</a>). I just wanted to add that=
I think even with normalized ids, it could still be useful to be able to a=
pply these flags to choose which parts of the transaction become signed. I&=
#39;ve also seen vague references to some kind of a merklized abstract synt=
ax tree, but am not fully sure how that would work. Maybe someone on here c=
ould explain it?<br>
<br>
Best,<br>
Stephen<br>
<br>
<br>
<br>
> On May 15, 2015, at 5:54 AM, s7r <<a href=3D"mailto:s7r@sky-ip.org"=
target=3D"_blank">s7r@sky-ip.org</a>> wrote:<br>
><br>
> Hello,<br>
><br>
> How will this exactly be safe against:<br>
> a) the malleability of the parent tx (2nd level malleability)<br>
> b) replays<br>
><br>
> If you strip just the scriptSig of the input(s), the txid(s) can still=
<br>
> be mutated (with higher probability before it gets confirmed).<br>
><br>
> If you strip both the scriptSig of the parent and the txid, nothing ca=
n<br>
> any longer be mutated but this is not safe against replays. This could=
<br>
> work if we were using only one scriptPubKey per tx. But this is not<br=
>
> enforced, and I don't think it's the proper way to do it.<br>
><br>
> Something similar can be achieved if you would use a combination of<br=
>
> flags from here:<br>
><br>
> <a href=3D"https://github.com/scmorse/bitcoin-misc/blob/master/sighash=
_proposal.md" target=3D"_blank">https://github.com/scmorse/bitcoin-misc/blo=
b/master/sighash_proposal.md</a><br>
><br>
> But this has some issues too.<br>
><br>
> I've read your draft but didn't understand how exactly will th=
is prevent<br>
> normal malleability as we know it, second level malleability and repla=
ys<br>
> as well as how will we do the transition into mapping the txes in the<=
br>
> blockchain to normalized txids. Looking forward to read more on this<b=
r>
> topic. Thanks for the brainstorming ;)<br>
><br>
><br>
>> On 5/13/2015 3:48 PM, Christian Decker wrote:<br>
>> Hi All,<br>
>><br>
>> I'd like to propose a BIP to normalize transaction IDs in orde=
r to<br>
>> address transaction malleability and facilitate higher level proto=
cols.<br>
>><br>
>> The normalized transaction ID is an alias used in parallel to the<=
br>
>> current (legacy) transaction IDs to address outputs in transaction=
s. It<br>
>> is calculated by removing (zeroing) the scriptSig before computing=
the<br>
>> hash, which ensures that only data whose integrity is also guarant=
eed by<br>
>> the signatures influences the hash. Thus if anything causes the<br=
>
>> normalized ID to change it automatically invalidates the signature=
. When<br>
>> validating a client supporting this BIP would use both the normali=
zed tx<br>
>> ID as well as the legacy tx ID when validating transactions.<br>
>><br>
>> The detailed writeup can be found<br>
>> here: <a href=3D"https://github.com/cdecker/bips/blob/normalized-t=
xid/bip-00nn.mediawiki" target=3D"_blank">https://github.com/cdecker/bips/b=
lob/normalized-txid/bip-00nn.mediawiki</a>.<br>
>><br>
>> @gmaxwell: I'd like to request a BIP number, unless there is s=
omething<br>
>> really wrong with the proposal.<br>
>><br>
>> In addition to being a simple alternative that solves transaction<=
br>
>> malleability it also hugely simplifies higher level protocols. We =
can<br>
>> now use template transactions upon which sequences of transactions=
can<br>
>> be built before signing them.<br>
>><br>
>> I hesitated quite a while to propose it since it does require a ha=
rdfork<br>
>> (old clients would not find the prevTx identified by the normalize=
d<br>
>> transaction ID and deem the spending transaction invalid), but it =
seems<br>
>> that hardforks are no longer the dreaded boogeyman nobody talks ab=
out.<br>
>> I left out the details of how the hardfork is to be done, as it do=
es not<br>
>> really matter and we may have a good mechanism to apply a bunch of=
<br>
>> hardforks concurrently in the future.<br>
>><br>
>> I'm sure it'll take time to implement and upgrade, but I t=
hink it would<br>
>> be a nice addition to the functionality and would solve a long sta=
nding<br>
>> problem :-)<br>
>><br>
>> Please let me know what you think, the proposal is definitely not =
set in<br>
>> stone at this point and I'm sure we can improve it further.<br=
>
>><br>
>> Regards,<br>
>> Christian<br>
>><br>
>><br>
>> ------------------------------------------------------------------=
------------<br>
>> One dashboard for servers and applications across Physical-Virtual=
-Cloud<br>
>> Widest out-of-the-box monitoring support with 50+ applications<br>
>> Performance metrics, stats and reports that give you Actionable In=
sights<br>
>> Deep dive visibility with transaction tracing using APM Insight.<b=
r>
>> <a href=3D"http://ad.doubleclick.net/ddm/clk/290420510;117567292;y=
" target=3D"_blank" style=3D"display:none!important">http://ad.doubleclick.=
net/ddm/clk/290420510;117567292;y</a><br>
>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> Bitcoin-development mailing list<br>
>> <a href=3D"mailto:Bitcoin-development@lists.sourceforge.net" targe=
t=3D"_blank">Bitcoin-development@lists.sourceforge.net</a><br>
>> <a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/b=
itcoin-development</a><br>
><br>
> ----------------------------------------------------------------------=
--------<br>
> One dashboard for servers and applications across Physical-Virtual-Clo=
ud<br>
> Widest out-of-the-box monitoring support with 50+ applications<br>
> Performance metrics, stats and reports that give you Actionable Insigh=
ts<br>
> Deep dive visibility with transaction tracing using APM Insight.<br>
> <a href=3D"http://ad.doubleclick.net/ddm/clk/290420510;117567292;y" ta=
rget=3D"_blank" style=3D"display:none!important">http://ad.doubleclick.net/=
ddm/clk/290420510;117567292;y</a><br>
> _______________________________________________<br>
> Bitcoin-development mailing list<br>
> <a href=3D"mailto:Bitcoin-development@lists.sourceforge.net" target=3D=
"_blank">Bitcoin-development@lists.sourceforge.net</a><br>
> <a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-develo=
pment" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitco=
in-development</a><br>
</blockquote></div></div></div>
--001a11c3474e26df3405166b1a4b--
|
