From: "Jorge Timón" <jtimon@jtimon.cc>
To: s7r@sky-ip.org
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] 75%/95% threshold for transaction versions
Date: Fri, 24 Apr 2015 10:58:11 +0200 [thread overview]
Message-ID: <CABm2gDr9t5G6DsyT8ZT_4UbqjhBXkA5cJRZhtZTv+Djz7mpSMg@mail.gmail.com> (raw)
In-Reply-To: <CABm2gDoBci9qjGt-FpgzuYvpDrG8iqfzBTnUqFTyYWP5SpLxLA@mail.gmail.com>
Oh, no, sorry, it also covers bip62.
On Fri, Apr 24, 2015 at 10:55 AM, Jorge Timón <jtimon@jtimon.cc> wrote:
> s7r you may be interested in this video explaining several aspects of
> malleability: https://www.youtube.com/watch?v=jyDE-aFqJTs
> It is pre BIP62, but I believe it is very relevant and will hopefully
> clear some of your doubts.
> The signer of TX1 will always be able to change the signature and thus
> the tx ID.
>
> On Sat, Apr 18, 2015 at 4:49 PM, s7r <s7r@sky-ip.org> wrote:
>> Understood. That is unfortunate, but not the end of the world. If you
>> could please give feedback also to these last comments / questions:
>>
>> How far are we at this moment from BIP62? Can an user send a
>> non-malleable tx now, if enforces some additional rules?
>>
>> As for the security of the system, it does not fully rely on txids being
>> non malleable, but see this quote from my previous email:
>>
>> [QUOTE]
>> I am trying to build a bitcoin contract which will relay on 3 things:
>> - coinjoin / txes with inputs from multiple users which are signed by
>> all users after they are merged together (every user is sure his coins
>> will not be spent without the other users to spend anything, as per
>> agreed contract);
>> - pre-signed txes with nLockTime 'n' weeks. These txes will be signed
>> before the inputs being spent are broadcasted/confirmed, using the txid
>> provided by the user before broadcasting it. Malleability hurts here.
>> - P2SH
>>
>> Another thing I would like to confirm, the 3 pieces of the bitcoin
>> protocol mentioned above will be supported in _any_ future transaction
>> version or block version, regardless what changes are made or features
>> added to bitcoin core? The contract needs to be built and left unchanged
>> for a very very long period of time...
>> [/END QUOTE]
>>
>> Can you comment on the quote please?
>>
>> So, basically transaction malleability could affect the system in the
>> way that a pre-signed tx which offers the insurance and which is sent to
>> the user before the user sends the coins (spending user's coins back to
>> him after a certain period of time) could be invalidated. The insurance
>> tx signature will still be good, but invalid overall since the input
>> (txid) being spent does not exist (was altered / modified). The coins
>> won't be stolen or lost, but a new tx needs to be signed with the
>> altered (new) txid, for the system to work.
>>
>> So, an user creates a transaction TX1 sending the coins to the server
>> but does not broadcast it. Instead, he provides the txid of TX1 to the
>> server. Server generates another transaction TX2 which spends TX1 back
>> to the user, with an nLockTime. User checks and if everything ok
>> broadcasts TX1. In case the txid of TX1 will be altered/modified, TX2
>> will become invalid (since it will be spending an inexistent input), and
>> the server will need to re-create and sign TX2 with the new
>> (altered/modified) txid of TX1, as per agreed contract. Should the
>> server disappear after user broadcasts TX1 and before the
>> altered/modified txid of TX1 gets confirmed, user's coins are forever
>> locked. It is true that no third party can benefit from this type of
>> attack, only the user will result with coins locked, but it is something
>> which could be used by competition to make a service useless / annoying
>> / too complicated or less safe to use.
>>
>> How could I mitigate this?
>>
>> Thanks you for your time and help.
>>
>> On 4/17/2015 12:02 PM, Pieter Wuille wrote:
>>>> Anyone can alter the txid - more details needed. The number of altered
>>>> txids in practice is not so high in order to make us believe anyone can
>>>> do it easily. It is obvious that all current bitcoin transactions are
>>>> malleable, but not by anyone and not that easy. At least I like to
>>> think so.
>>>
>>> Don't assume that because it does not (frequently) happen, that it
>>> cannot happen. Large amounts of malleated transactions have happened in
>>> the past. Especially if you build a system depends on non-malleability
>>> for its security, you may at some point have an attacker who has
>>> financial gain from malleation.
>>>
>>>> >From your answer I understand that right now if I create a transaction
>>>> (tx1) and broadcast it, you can alter its txid at your will, without any
>>>> mining power and/or access to my private keys so I would end up not
>>>> recognizing my own transaction and probably my change too (if my systems
>>>> rely hardly on txid)?
>>>
>>> In theory, yes, anyone can alter the txid without invalidating it,
>>> without mining power and without access to the sender's private keys.
>>>
>>> All it requires is seeing a transaction on the network, doing a trivial
>>> modification to it, and rebroadcasting it quickly. If the modifies
>>> version gets mined, you're out of luck. Having mining power helps of course.
>>>
>>> After BIP62, you will, as a sender, optionally be able to protect others
>>> from malleating. You're always able to re-sign yourself.
>>>
>>> --
>>> Pieter
>>>
>>
>> ------------------------------------------------------------------------------
>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>> Develop your own process in accordance with the BPMN 2 standard
>> Learn Process modeling best practices with Bonita BPM through live exercises
>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>> _______________________________________________
>> Bitcoin-development mailing list
>> Bitcoin-development@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
next prev parent reply other threads:[~2015-04-24 8:58 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-15 23:43 [Bitcoin-development] 75%/95% threshold for transaction versions s7r
2015-04-16 2:04 ` Allen Piscitello
2015-04-16 5:22 ` Pieter Wuille
2015-04-16 16:12 ` s7r
2015-04-16 17:34 ` Mark Friedenbach
2015-04-16 23:17 ` s7r
2015-04-17 9:02 ` Pieter Wuille
2015-04-18 14:49 ` s7r
2015-04-24 8:55 ` Jorge Timón
2015-04-24 8:58 ` Jorge Timón [this message]
2015-04-24 19:58 ` William Swanson
2015-04-24 20:16 ` Gregory Maxwell
2015-04-25 15:40 ` Stephen Morse
2015-04-26 0:01 ` s7r
2015-04-26 6:51 ` Joseph Poon
2015-04-26 16:48 ` Joseph Poon
2015-04-25 14:32 ` Stephen Morse
2015-04-27 19:21 ` Peter Todd
2015-04-28 10:17 ` Oleg Andreev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CABm2gDr9t5G6DsyT8ZT_4UbqjhBXkA5cJRZhtZTv+Djz7mpSMg@mail.gmail.com \
--to=jtimon@jtimon.cc \
--cc=bitcoin-development@lists.sourceforge.net \
--cc=s7r@sky-ip.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox