From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1WGHPC-0002MG-QC for bitcoin-development@lists.sourceforge.net; Thu, 20 Feb 2014 00:22:22 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmail.com designates 74.125.82.182 as permitted sender) client-ip=74.125.82.182; envelope-from=natanael.l@gmail.com; helo=mail-we0-f182.google.com; Received: from mail-we0-f182.google.com ([74.125.82.182]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1WGHPB-0004u0-HJ for bitcoin-development@lists.sourceforge.net; Thu, 20 Feb 2014 00:22:22 +0000 Received: by mail-we0-f182.google.com with SMTP id u57so944613wes.13 for ; Wed, 19 Feb 2014 16:22:15 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.180.98.35 with SMTP id ef3mr4115966wib.39.1392855735181; Wed, 19 Feb 2014 16:22:15 -0800 (PST) Received: by 10.194.54.10 with HTTP; Wed, 19 Feb 2014 16:22:15 -0800 (PST) Received: by 10.194.54.10 with HTTP; Wed, 19 Feb 2014 16:22:15 -0800 (PST) In-Reply-To: References: <52FBD948.906@monetize.io> <201402122252.31060.luke@dashjr.org> <601EE159-9022-4ADF-80AC-7E1C39E86A65@mac.com> Date: Thu, 20 Feb 2014 01:22:15 +0100 Message-ID: From: Natanael To: Pieter Wuille Content-Type: multipart/alternative; boundary=f46d044401d851aa9e04f2cb7f4a X-Spam-Score: -0.6 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (natanael.l[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1WGHPB-0004u0-HJ Cc: bitcoin-development@lists.sourceforge.net Subject: Re: [Bitcoin-development] [RFC] [BIP proposal] Dealing with malleability X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Feb 2014 00:22:23 -0000 --f46d044401d851aa9e04f2cb7f4a Content-Type: text/plain; charset=UTF-8 Regarding chains of transactions intended to be published at once together, wouldn't it be easier to add a "only-mine-with-child flag"? That way the parent transactions aren't actually valid unless spent together with the transaction that depends on it, and only the original will have a child referencing it. Then malleability is not an issue at all for transaction chains if you only need to broadcast your full transaction chain once, and don't need to extend it in two or more occasions, *after* broadcasting subchains to the network, from the same set of pregenerated transactions. If you need to broadcast pregenerated subchains separately, then you need the last child in the chain to be non-malleable. This would require all miners to start to respect it at once in order to avoid forking the network. - Sent from my phone Den 19 feb 2014 22:13 skrev "Pieter Wuille" : > On Wed, Feb 19, 2014 at 9:28 PM, Michael Gronager > wrote: > > I think that we could guarantee fewer incidents by making version 1 > transactions unmalleable and then optionally introduce a version 3 that > supported the malleability feature. That way most existing problematic > implementations would be fixed and no doors were closed for people > experimenting with other stuff - tx v 3 would probably then be called > experimental transactions. > > Just to be clear: this change is not directly intended to avoid > "incidents". It will take way too long to deploy this. Software should > deal with malleability. This is a longer-term solution intended to > provide non-malleability guarantees for clients that a) are upgraded > to use them b) willing to restrict their functionality. As there are > several intended use cases for malleable transactions (the sighash > flags pretty directly are a way to signify what malleabilities are > *wanted*), this is not about outlawing malleability. > > While we could right now make all these rules non-standard, and > schedule a soft fork in a year or so to make them illegal, it would > mean removing potential functionality that can only be re-enabled > through a hard fork. This is significantly harder, so we should think > about it very well in advance. > > About new transaction and block versions: this allows implementing and > automatically scheduling a softfork without waiting for wallets to > upgrade. The non-DER signature change was discussed for over two > years, and implemented almost a year ago, and we still notice wallets > that don't support it. We can't expect every wallet to be instantly > modified (what about hardware wallets like the Trezor, for example? > they may not just be able to be upgraded). Nor is it necessary: if > your software only spends confirmed change, and tracks all debits > correctly, there is no need. > > -- > Pieter > > > ------------------------------------------------------------------------------ > Managing the Performance of Cloud-Based Applications > Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. > Read the Whitepaper. > > http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > --f46d044401d851aa9e04f2cb7f4a Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Regarding chains of transactions intended to be published at= once together, wouldn't it be easier to add a "only-mine-with-chi= ld flag"?

That way the parent transactions aren't actually valid u= nless spent together with the transaction that depends on it, and only the = original will have a child referencing it.

Then malleability is not an issue at all for transaction cha= ins if you only need to broadcast your full transaction chain once, and don= 't need to extend it in two or more occasions, *after* broadcasting sub= chains to the network, from the same set of pregenerated transactions.

If you need to broadcast pregenerated subchains separately, = then you need the last child in the chain to be non-malleable.

This would require all miners to start to respect it at once= in order to avoid forking the network.

- Sent from my phone

Den 19 feb 2014 22:13 skrev "Pieter Wuille&= quot; <pieter.wuille@gmail.co= m>:
On Wed, Feb 19, 2014 at 9:28 PM, Michael Gronager <gronager@mac.com> wrote:
> I think that we could guarantee fewer incidents by making version 1 tr= ansactions unmalleable and then optionally introduce a version 3 that suppo= rted the malleability feature. That way most existing problematic implement= ations would be fixed and no doors were closed for people experimenting wit= h other stuff - tx v 3 would probably then be called experimental transacti= ons.

Just to be clear: this change is not directly intended to avoid
"incidents". It will take way too long to deploy this. Software s= hould
deal with malleability. This is a longer-term solution intended to
provide non-malleability guarantees for clients that a) are upgraded
to use them =C2=A0b) willing to restrict their functionality. As there are<= br> several intended use cases for malleable transactions (the sighash
flags pretty directly are a way to signify what malleabilities are
*wanted*), this is not about outlawing malleability.

While we could right now make all these rules non-standard, and
schedule a soft fork in a year or so to make them illegal, it would
mean removing potential functionality that can only be re-enabled
through a hard fork. This is significantly harder, so we should think
about it very well in advance.

About new transaction and block versions: this allows implementing and
automatically scheduling a softfork without waiting for wallets to
upgrade. The non-DER signature change was discussed for over two
years, and implemented almost a year ago, and we still notice wallets
that don't support it. We can't expect every wallet to be instantly=
modified (what about hardware wallets like the Trezor, for example?
they may not just be able to be upgraded). Nor is it necessary: if
your software only spends confirmed change, and tracks all debits
correctly, there is no need.

--
Pieter

---------------------------------------------------------------------------= ---
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gam= pad/clk?id=3D121054471&iu=3D/4140/ostg.clktrk
_______________________________________________
Bitcoin-development mailing list
Bitcoin-develo= pment@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-de= velopment
--f46d044401d851aa9e04f2cb7f4a--