From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1Yj2AM-0002gR-Vd for bitcoin-development@lists.sourceforge.net; Fri, 17 Apr 2015 09:02:26 +0000 Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.215.43 as permitted sender) client-ip=209.85.215.43; envelope-from=pieter.wuille@gmail.com; helo=mail-la0-f43.google.com; Received: from mail-la0-f43.google.com ([209.85.215.43]) by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1Yj2AL-0001MU-UA for bitcoin-development@lists.sourceforge.net; Fri, 17 Apr 2015 09:02:26 +0000 Received: by laat2 with SMTP id t2so75257103laa.1 for ; Fri, 17 Apr 2015 02:02:19 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.152.203.162 with SMTP id kr2mr1701770lac.68.1429261339591; Fri, 17 Apr 2015 02:02:19 -0700 (PDT) Received: by 10.112.19.7 with HTTP; Fri, 17 Apr 2015 02:02:19 -0700 (PDT) Received: by 10.112.19.7 with HTTP; Fri, 17 Apr 2015 02:02:19 -0700 (PDT) In-Reply-To: <55304321.3030300@sky-ip.org> References: <552EF785.7000207@sky-ip.org> <552FDF73.6010104@sky-ip.org> <55304321.3030300@sky-ip.org> Date: Fri, 17 Apr 2015 02:02:19 -0700 Message-ID: From: Pieter Wuille To: s7r@sky-ip.org Content-Type: multipart/alternative; boundary=001a113463267007ea0513e7d6eb X-Spam-Score: -0.6 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (pieter.wuille[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1Yj2AL-0001MU-UA Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] 75%/95% threshold for transaction versions X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Apr 2015 09:02:27 -0000 --001a113463267007ea0513e7d6eb Content-Type: text/plain; charset=ISO-8859-1 > Anyone can alter the txid - more details needed. The number of altered > txids in practice is not so high in order to make us believe anyone can > do it easily. It is obvious that all current bitcoin transactions are > malleable, but not by anyone and not that easy. At least I like to think so. Don't assume that because it does not (frequently) happen, that it cannot happen. Large amounts of malleated transactions have happened in the past. Especially if you build a system depends on non-malleability for its security, you may at some point have an attacker who has financial gain from malleation. > >From your answer I understand that right now if I create a transaction > (tx1) and broadcast it, you can alter its txid at your will, without any > mining power and/or access to my private keys so I would end up not > recognizing my own transaction and probably my change too (if my systems > rely hardly on txid)? In theory, yes, anyone can alter the txid without invalidating it, without mining power and without access to the sender's private keys. All it requires is seeing a transaction on the network, doing a trivial modification to it, and rebroadcasting it quickly. If the modifies version gets mined, you're out of luck. Having mining power helps of course. After BIP62, you will, as a sender, optionally be able to protect others from malleating. You're always able to re-sign yourself. -- Pieter --001a113463267007ea0513e7d6eb Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

> Anyone can alter the txid - more details needed. The nu= mber of altered
> txids in practice is not so high in order to make us believe anyone ca= n
> do it easily. It is obvious that all current bitcoin transactions are<= br> > malleable, but not by anyone and not that easy. At least I like to thi= nk so.

Don't assume that because it does not (frequently) happe= n, that it cannot happen. Large amounts of malleated transactions have happ= ened in the past. Especially if you build a system depends on non-malleabil= ity for its security, you may at some point have an attacker who has financ= ial gain from malleation.

> >From your answer I understand that right now if I c= reate a transaction
> (tx1) and broadcast it, you can alter its txid at your will, without a= ny
> mining power and/or access to my private keys so I would end up not > recognizing my own transaction and probably my change too (if my syste= ms
> rely hardly on txid)?

In theory, yes, anyone can alter the txid without invalidati= ng it, without mining power and without access to the sender's private = keys.

All it requires is seeing a transaction on the network, doin= g a trivial modification to it, and rebroadcasting it quickly. If the modif= ies version gets mined, you're out of luck. Having mining power helps o= f course.

After BIP62, you will, as a sender, optionally be able to pr= otect others from malleating. You're always able to re-sign yourself.

--
Pieter

--001a113463267007ea0513e7d6eb--