From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 95097486 for ; Thu, 5 Nov 2015 22:29:49 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mout.perfora.net (mout.perfora.net [74.208.4.197]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id EDE1F124 for ; Thu, 5 Nov 2015 22:29:48 +0000 (UTC) Received: from mail-io0-f173.google.com ([209.85.223.173]) by mrelay.perfora.net (mreueus003) with ESMTPSA (Nemesis) id 0LxdxF-1aUqVb08WR-017HrU for ; Thu, 05 Nov 2015 23:29:48 +0100 Received: by iody8 with SMTP id y8so105817490iod.1 for ; Thu, 05 Nov 2015 14:29:46 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.107.15.31 with SMTP id x31mr12562494ioi.51.1446762586973; Thu, 05 Nov 2015 14:29:46 -0800 (PST) Received: by 10.50.180.199 with HTTP; Thu, 5 Nov 2015 14:29:46 -0800 (PST) In-Reply-To: <201511051936.09500.luke@dashjr.org> References: <201511032201.21047.luke@dashjr.org> <201511051936.09500.luke@dashjr.org> Date: Thu, 5 Nov 2015 23:29:46 +0100 X-Gmail-Original-Message-ID: Message-ID: From: Adam Back To: Luke Dashjr Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K0:81Dlf8bKIFrZBYJl43vnMN/r5IlBxDdoAvFg5N8hq/hhkiYAh8y tJcg2Exje5Qg1Uz7ONaIgcMqW3joJNJoRm4RsZ2R+vitRoap/u/eNv77TeKWPNFTJvxY9FQ 6a1rNUiG8UXBQ05VPsuPGkbvpLlFdxZrOxYtUrJOp11jLTzfR3am6OLIoWpdFE1bU67cwIL ll81FGn6L/bvjsTVKIhyg== X-UI-Out-Filterresults: notjunk:1;V01:K0:UgHz85KIkig=:LFJpRtWapYkYnDA8BkE5N8 bJW6v2V4TkwETbLVt063qo3ElXTlPCoDOjkwpaa0aL3t5cDpeVVOtrKlc0pvlz/1R660ryf2K rkN8m0+qVX2yVjJbRSq2cvIGmARp9l2Eb6QterKYiprvI+xblb7pvJX/6AU38ZsF8AyBHDm1x LH8mZv/E4+27n4J/cAU0E5mIJDiXPcZ69zMUEpAWSSDFfWbC0ICAZdETqtR8Flq5Y0VKUxK+/ 8Ma7tNScDj6MzZ3OAt0ba6lBVtce2sJvkpA0TKTI4VQ4s+wGM6lswnwOaAQxu7RbRuBlS2wZn AnlmFn63swfQecpUH68fLHQB7+G/7Hnur5kPzuUvVeBdwG7Ex+e2MTJaMSPBcbMkR9z2ZKHGa ZMH1ofHztOuxfq0K2zb8XSix5DAtwj99jkvMvcq9JDWkeA7khxhM5TwVduoqx8Is4Syfh23Vn s2voCVTq+//RGejhfndsXTit4ZMdNWS7PL8sSHbE0LfZuAIm46wvmuj5viZFZmSDKLJxB8A0Q 2ssuJdegKp2zc+B3gb2uRTjv71fzp9f5QA5q1oGhWy5V+1MM92pQOs8RrJjRiBJ0wZ4XJHOnG ZzD8LC9j0f8NlVBdXBSJ5yVF5r4gVkYxSNgkQxOqHLTGOgyG7CPyYOM420mMkue83UFaFz9Io za2v2s9dtL7BioryZVfcyB06UVtnTBr3avlHURiEQMAi+eJD2yS9dPizCbCLdqDAr/5OUgHAX iOLqxjSNespsWYcr X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Thu, 05 Nov 2015 22:30:58 +0000 Cc: Bitcoin Dev Subject: Re: [bitcoin-dev] [BIP] Normalized transaction IDs X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Development Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Nov 2015 22:29:49 -0000 About the conflicting spends by the private key holder (self signature malleability) that is in principle kind of fixable. You make a new pub key type which is r,Q (where r is the DSA signature component but chosen at key gen time, Q=3DxG is the pub key, r is point compressed R =3D (r,f(r)) =3D kG ), r is the pre-computable part of an ECDSA signature (unrelated to the message which can be decided later). You make a new address type which is a =3D H(r,Q). Then you make a new signature type which requires that the r from sig=3D(r,s) matches the r committed to in the address. As the ECDSA signature is s=3D(H(m)+r*x)/k mod n, if they sign two different messages with the same r value they reveal the private key via simultaneous equation, as s=3D(H(m)+r*x)/k and s'=3D(H(m')+r*x)/k and solving k=3D(H(m)-H(m'))/(s-s') and x=3D(sk-H(m))/r allowing anyone who sees both double spends to spend as they can replace the signature with their own one. That converts double signatures into miner can spend. It doesnt necessarily enforce no pubkey reuse (Q), as a=3DH(r,Q) and a'=3DH(r',Q) are different addresses, though it does enforce no extended-address reuse (H=3D(r,Q)). Binary failure address reuse could be an issue. Puts pressure on transactional storage on wallets. Adam On 5 November 2015 at 20:36, Luke Dashjr via bitcoin-dev wrote: > On Thursday, November 05, 2015 3:27:37 PM Jorge Tim=C3=B3n wrote: >> On Tue, Nov 3, 2015 at 11:01 PM, Luke Dashjr via bitcoin-dev >> >> wrote: >> > On Tuesday, November 03, 2015 9:44:02 PM Christian Decker wrote: >> >> So this is indeed a form of desired malleability we will likely not b= e >> >> able to fix. I'd argue that this goes more into the direction of >> >> double-spending than a form of malleability, and is mostly out of sco= pe >> >> for this BIP. As the abstract mentions this BIP attempts to eliminate >> >> damage incurred by malleability in the third party modification >> >> scenario and in the multisig scenario, with the added benefit of >> >> enabling transaction templating. If we can get the segregated witness= es >> >> approach working all the better, we don't even have the penalty of >> >> increased UTXO size. The problem of singlesig users doublespending >> >> their outputs to update transactions remains a problem even then. >> > >> > I don't know what you're trying to say here. Double spending to the sa= me >> > destination(s) and malleability are literally the same thing. Things >> > affected by malleability are still just as broken even with this BIP - >> > whether it is triggered by a third-party or not is not very relevant. >> >> I think this is just a terminology confusion. >> There's conflicting spends of the same outputs (aka unconfirmed >> double-spends), and there's signature malleability which Segregated >> Witnesses solves. >> If we want to define malleability as signature malleability + >> conflicting spends, then that's fine. >> But it seems Christian is mostly interested in signature malleability, >> which is what SW can solve. >> In fact, creating conflicting spends is sometimes useful for some >> contracts (ie to cancel the contract when that's supposed to be >> allowed). >> Maybe it is "incorrect" that people use "malleability" when they're >> specifically talking about "signature malleability", but I think that >> in this case it's clear that we're talking about transactions having >> an id that cannot be changed just by signing with a different nonce >> (what SW provides). > > Ok, then my point is that "signature malleability" is not particularly > problematic or interesting alone, and the only way to get a practically-u= seful > solution, is to address all kinds of malleability. > > Luke > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev