1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
helo=mx.sourceforge.net)
by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <rusty@ozlabs.org>) id 1Z4K9V-0003G2-Ff
for bitcoin-development@lists.sourceforge.net;
Mon, 15 Jun 2015 02:29:33 +0000
Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of ozlabs.org
designates 103.22.144.67 as permitted sender)
client-ip=103.22.144.67; envelope-from=rusty@ozlabs.org;
helo=ozlabs.org;
Received: from ozlabs.org ([103.22.144.67])
by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.76) id 1Z4K9U-0004qQ-2U
for bitcoin-development@lists.sourceforge.net;
Mon, 15 Jun 2015 02:29:33 +0000
Received: by ozlabs.org (Postfix, from userid 1011)
id 2DF3614027F; Mon, 15 Jun 2015 12:29:24 +1000 (AEST)
From: Rusty Russell <rusty@rustcorp.com.au>
To: Gregory Maxwell <gmaxwell@gmail.com>
In-Reply-To: <CAAS2fgRgWZX_O_2O1bgdFd_04xVp5Lnpw4hf=v6RSTXmsbdzPQ@mail.gmail.com>
References: <87k2vhfnx9.fsf@rustcorp.com.au>
<CAAS2fgRgWZX_O_2O1bgdFd_04xVp5Lnpw4hf=v6RSTXmsbdzPQ@mail.gmail.com>
User-Agent: Notmuch/0.17 (http://notmuchmail.org) Emacs/24.4.1
(x86_64-pc-linux-gnu)
Date: Mon, 15 Jun 2015 11:59:11 +0930
Message-ID: <87r3pdembs.fsf@rustcorp.com.au>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -1.0 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 SPF_PASS SPF: sender matches SPF record
-0.4 RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
0.9 AWL AWL: Adjusted score from AWL reputation of From: address
X-Headers-End: 1Z4K9U-0004qQ-2U
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] [RFC] Canonical input and output ordering
in transactions
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Mon, 15 Jun 2015 02:29:33 -0000
Gregory Maxwell <gmaxwell@gmail.com> writes:
> I'm not a great fan of this proposal for two reasons: The first is
> that the strict ordering requirements is incompatible with future
> soft-forks that may expose additional ordering constraints. Today we
> have _SINGLE, which as noted this interacts with poorly, but there
> have been other constraints proposed that this would also interact
> with poorly.
Yes, I hit this when I implemented an IsStandard change; upon input
evaluation the scriptsigs which used _SINGLE get disregarded from
ordering.
> The second is that even absent consensus rules there may be invisible
> constraints in systems-- e.g. hardware wallets that sign top down,
I think that one's pretty easy to fix (and they should fix it anyway, to
avoid leaking information due to ordering): they can receive an
unordered tx and sign it as if it were ordered canonically.
> or
> future transaction covenants that have constraints about ordering, or
> proof systems that use (yuck) midstate compression for efficiency.
The softfork argument I find the most compelling, though it's tempting
to argue that every ordering use (including SIGHASH_SINGLE) is likely
a mistake.
> I think perhaps the motivations here are understated. We have not seen
> any massive deployments of accidentally broken ordering that I'm aware
> of-- and an implementation that got this wrong in a harmful way would
> likely make far more fatal mistakes (e.g. non random private keys).
I was prompted to propose something by this:
https://blog.blocktrail.com/2015/05/getting-your-change-in-order/
If that's the only one though, it's less compelling.
> As an alternative to this proposal the ordering can be privately
> derandomized in the same way DSA is, to avoid the need for an actual
> number source. If getting the randomness right were really the only
> motivation, I'd suggest we propose a simple derandomized randomization
> algorithm--- e.g. take the order from (H(input ids||client secret)).
>
> I think there is actually an unstated motivation also driving this
> (and the other) proposal related to collaborative transaction systems
> like coinjoins or micropayment channels; where multiple clients need
> to agree on the same ordering. Is this the case? If so we should
> probably talk through some of the requirements there and see if there
> isn't a better way to address it.
Indeed. I was implementing deterministic permutations for lightning
(signature exchange requires both sides agree on ordering).
Cheers,
Rusty.
|
