public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
* [bitcoin-dev] New BIP: Dealing with dummy stack element malleability
@ 2016-09-02  4:40 Johnson Lau
  2016-09-02  5:47 ` Peter Todd
  2016-09-02 17:10 ` Tom Harding
  0 siblings, 2 replies; 4+ messages in thread
From: Johnson Lau @ 2016-09-02  4:40 UTC (permalink / raw)
  To: bitcoin-dev

https://github.com/bitcoin/bips/pull/440
https://github.com/bitcoin/bitcoin/pull/8636
This document specifies proposed changes to the Bitcoin transaction validity rules to fix the malleability of extra stack element for OP_CHECKMULTISIG and OP_CHECKMULTISIGVERIFY.

The original plan was to do the LOW_S and NULLDUMMY (BIP146) together with segwit in 0.13.1. However, as we discovered some undocumented behavior in LOW_S, we may want to deploy the LOW_S softfork in a later release. https://github.com/bitcoin/bitcoin/pull/8533#issuecomment-243973512

I will edit the BIP146 later.

  BIP: ?
  Title: Dealing with dummy stack element malleability
  Author: Johnson Lau <jl2012@xbt.hk>
  Status: Draft
  Type: Standards Track
  Created: 2016-09-02

Abstract

This document specifies proposed changes to the Bitcoin transaction validity rules to fix the malleability of extra stack element for OP_CHECKMULTISIG and OP_CHECKMULTISIGVERIFY.

Motivation

Signature malleability refers to the ability of any relay node on the network to transform the signature in transactions, with no access to the relevant private keys required. For non-segregated witness transactions, signature malleability will change the txid and invalidate any unconfirmed child transactions. Although the txid of segregated witness (BIP141) transactions is not third party malleable, this malleability vector will change the wtxid and may reduce the efficiency of compact block relay (BIP152).

A design flaw in OP_CHECKMULTISIG and OP_CHECKMULTISIGVERIFY makes them consuming an extra stack element ("dummy element") after signature validation. The dummy element is not inspected in any manner, and could be replaced by any value without invalidating the script. This document specifies a new rule to fix this signature malleability.

Specification

To fix the dummy element malleability, a new consensus rule ("NULLDUMMY") is deployed to require that the dummy element MUST be the empty byte array. Anything else makes the script evaluate to false immediately. The NULLDUMMY rule applies to OP_CHECKMULTISIG and OP_CHECKMULTISIGVERIFY in pre-segregated scripts, and also pay-to-witness-script-hash scripts described in BIP141.

Deployment

This BIP will be deployed by "version bits" BIP9 using the same parameters for BIP141 and BIP143, with the name "segwit" and using bit 1.

For Bitcoin mainnet, the BIP9 starttime is midnight TBD UTC (Epoch timestamp TBD) and BIP9 timeout is midnight TBD UTC (Epoch timestamp TBD).

For Bitcoin testnet, the BIP9 starttime is midnight 1 May 2016 UTC (Epoch timestamp 1462060800) and BIP9 timeout is midnight 1 May 2017 UTC (Epoch timestamp 1493596800).

Compatibility

The reference client has produced compatible signatures from the beginning, and the NULLDUMMY rule has been enforced as relay policy by the reference client since v0.10.0. There has been no transactions violating the requirement being added to the chain since at least August 2015. In addition, every non-compliant signature can trivially be converted into a compliant one, so there is no loss of functionality by this requirement.

Implementation

An implementation for the reference client is available at https://github.com/bitcoin/bitcoin/pull/8636

Acknowledgements

This document is extracted from the previous BIP62 proposal, which was composed by Pieter Wuille and had input from various people.

Copyright

This document is placed in the public domain.


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [bitcoin-dev] New BIP: Dealing with dummy stack element malleability
  2016-09-02  4:40 [bitcoin-dev] New BIP: Dealing with dummy stack element malleability Johnson Lau
@ 2016-09-02  5:47 ` Peter Todd
  2016-09-02 17:10 ` Tom Harding
  1 sibling, 0 replies; 4+ messages in thread
From: Peter Todd @ 2016-09-02  5:47 UTC (permalink / raw)
  To: Johnson Lau, Bitcoin Protocol Discussion

[-- Attachment #1: Type: text/plain, Size: 1422 bytes --]

On Fri, Sep 02, 2016 at 12:40:58AM -0400, Johnson Lau via bitcoin-dev wrote:
> Deployment
> 
> This BIP will be deployed by "version bits" BIP9 using the same parameters for BIP141 and BIP143, with the name "segwit" and using bit 1.
> 
> For Bitcoin mainnet, the BIP9 starttime is midnight TBD UTC (Epoch timestamp TBD) and BIP9 timeout is midnight TBD UTC (Epoch timestamp TBD).
> 
> For Bitcoin testnet, the BIP9 starttime is midnight 1 May 2016 UTC (Epoch timestamp 1462060800) and BIP9 timeout is midnight 1 May 2017 UTC (Epoch timestamp 1493596800).
> 
> Compatibility
> 
> The reference client has produced compatible signatures from the beginning, and the NULLDUMMY rule has been enforced as relay policy by the reference client since v0.10.0. There has been no transactions violating the requirement being added to the chain since at least August 2015. In addition, every non-compliant signature can trivially be converted into a compliant one, so there is no loss of functionality by this requirement.

This should say "for all scriptPubKey types in actual use, non-compliant
signatures can trivially be converted into compliant ones"

You can of course create a scriptPubKey where that's not possible, but
fortunately no-one appears to do that.


Also, as original author of NULLDUMMY, thanks for finally making it into a
soft-fork!

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [bitcoin-dev] New BIP: Dealing with dummy stack element malleability
  2016-09-02  4:40 [bitcoin-dev] New BIP: Dealing with dummy stack element malleability Johnson Lau
  2016-09-02  5:47 ` Peter Todd
@ 2016-09-02 17:10 ` Tom Harding
  2016-09-04 12:29   ` Johnson Lau
  1 sibling, 1 reply; 4+ messages in thread
From: Tom Harding @ 2016-09-02 17:10 UTC (permalink / raw)
  To: bitcoin-dev

On 9/1/2016 9:40 PM, Johnson Lau via bitcoin-dev wrote:
> This BIP will be deployed by "version bits" BIP9 using the same parameters for BIP141 and BIP143, with the name "segwit" and using bit 1.
>

This fix has value outside of segwit.  Why bundle the two together? 
Shouldn't miners have to opportunity to vote on them independently?




^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [bitcoin-dev] New BIP: Dealing with dummy stack element malleability
  2016-09-02 17:10 ` Tom Harding
@ 2016-09-04 12:29   ` Johnson Lau
  0 siblings, 0 replies; 4+ messages in thread
From: Johnson Lau @ 2016-09-04 12:29 UTC (permalink / raw)
  To: Tom Harding, Bitcoin Protocol Discussion

Although it is technically possible to bundle 2 independent softforks in one release, it increases the burden of testing and maintenance. We need to test and prepare for 4 scenarios: both not activated, only NULLDUMMY activated, only SEGWIT activated, and both activated.

Also, as we learnt from BIP66, softfork activation could be risky. It is evident that today a non-negligible percentage of miners are hard-coding the block version number. This increases the risks of softfork transition as miners may not enforce what they are signaling (btw this is also happening on testnet) Making 2 independently softforks would double the risks, and I believe NULLDUMMY alone is not worth the risks.
 
> On September 2, 2016 at 1:10 PM Tom Harding via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
> 
> 
> On 9/1/2016 9:40 PM, Johnson Lau via bitcoin-dev wrote:
> > This BIP will be deployed by "version bits" BIP9 using the same parameters for BIP141 and BIP143, with the name "segwit" and using bit 1.
> >
> 
> This fix has value outside of segwit.  Why bundle the two together? 
> Shouldn't miners have to opportunity to vote on them independently?
> 
> 
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-09-04 12:29 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-09-02  4:40 [bitcoin-dev] New BIP: Dealing with dummy stack element malleability Johnson Lau
2016-09-02  5:47 ` Peter Todd
2016-09-02 17:10 ` Tom Harding
2016-09-04 12:29   ` Johnson Lau

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox