From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 04FF2AD2 for ; Thu, 5 Jul 2018 11:52:09 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail.sldev.cz (mail.sldev.cz [88.208.115.66]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 1AA0C765 for ; Thu, 5 Jul 2018 11:52:08 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.sldev.cz (Postfix) with ESMTP id D2262E105A; Thu, 5 Jul 2018 11:52:05 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at mail.sldev.cz Received: from mail.sldev.cz ([127.0.0.1]) by localhost (mail.sldev.cz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xgAZIt49cuqf; Thu, 5 Jul 2018 11:52:03 +0000 (UTC) Received: from [10.8.0.37] (unknown [10.8.0.37]) by mail.sldev.cz (Postfix) with ESMTPSA id 54A8CE0F72; Thu, 5 Jul 2018 11:52:03 +0000 (UTC) From: matejcik To: Pieter Wuille References: <881def14-696c-3207-cf6c-49f337ccf0d1@satoshilabs.com> <95137ba3-1662-b75d-e55f-893d64c76059@satoshilabs.com> Openpgp: preference=signencrypt Autocrypt: addr=jan.matejek@satoshilabs.com; prefer-encrypt=mutual; keydata= xsFNBFqFmMgBEADPJ8NULpuu0nwox/tIfo+slGfcXZLUEZstNoaY9QgNuILJRtoJ6xZy8rQf S7iQlkaZcrpMJYdZtkRHvndkceBxesCG8io6tsU+t2SK6AvaW0FG95a9shFM/U9/JVO/QmBi IuQzbiE2XTZ/JStyEp4zpuyJqX1o9gzS/4MBXwj7Rzk8u+fHI28h96HILC2a0mC+c2gJ7f5t o/w+vxFZmk06COK08W5+odb9I8mjs0uf7jgTUEFrfwi6oCoTFmSon7cOy/WTieClwF/vUKuJ DBAtsMh2rxh8IHyH8xpR+Ay/K6jUWqeb3P2csQqMXmquYG/qdaHjQgxyuoJFbn+nT6jNGVQZ MjpZkMrGnjLccecaXlgx/rZK6ElCZ1PDHKOTW7A1YY1/eG7TWYnVv1ehQLueAoqyyfiEutsK E5jGbR0AmNjCahpeK7dxj+8g8TXpVsH207xJ+mqOm5RYqlX4OzfVvcnoHhlRIOu85i4I9rWm 1u/pP6uJFnBCKtuhhbmXCxM6wF7W5U6EVW3yymsPmSoVoaR024vffE3L5jZSsDMRxY6fDXNm ljRnOpT3l3d+kMVdAM3CdDCgmV87fdo4PAaGDfnmufGue/Gp0RiLCe/Wsm4DgIIa5UK6DmzD q0B6i9y/GJSPUChzZ8y7fYzuyXdpk/13gV2NRsskg9oXJVd1vQARAQABzSZtYXRlamNpayA8 amFuLm1hdGVqZWtAc2F0b3NoaWxhYnMuY29tPsLBfQQTAQgAJwUCWoWYyAIbIwUJCWYBgAUL CQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRDGf7EG5O0XHoU0D/4+fTbt4KELEtnpkirDH4mQ Vt3KtKJrI/gp/3u+r6jUWMv2V9iRFMs09GAVBmE2DkXXIlfaT1P0QfwVSpHC4k5lwKwSCSyS MUgBbQGPOiYMCgMQ+in4vjlqWWcx6jjlgxQctQHRrVG5jyi7BSb0jwG8rcYtx8SAYkN4joG/ oy2zMbq6qu+Vsl+xR5WwWF2mcUUyiVo7dSwNy+1PaeygOR9xAWkM8J42ckLfJgvyLSviBKnU 9rgg94ryEDAMNUL5yJUygQmUM/jdpyBpBycRbWMB+zIYDPVGnFj4vN8Hs9DyGUHVb2OqSW+q VPxD7U9m9z6J3NnY9HpaFX1DD8leK3TebpyYaeODY5jyk7retuLrMq+W4kJU0290xzlWa9sU wa7lTWw63pelfPUKZ+mjhSFQSZBqiuNv67CBd/UmoqMWSDrCWj+3IFQxReFbh47Wl4MUX2cK cLocYkBzDck7hH4YfK6jJ++teN6RKXr7P1y6EI25WEfJxWK9say7x/FRkNW0s98MxtOuwEsm /vHqHQQanAT4R5l+Rr7XfU7fpmH0As98qD81lc3RHbrxEXgA0ks2VuCxBWsPpzaHUFPOcE9H hsg1jSEDi/Mo6D4e2ap7FYXDgZiKye9WnSdPlVBqJxqinDDgSBv5wzKaEGQS0MKrF9myS7d0 pBSy1Dr6IWOegM7BTQRahZjIARAAwwT6h4IFvs/hmY9KHiX/GIbvybQUU71ZWYRE2KKo5E2c ZXBJj7SiDtU80bS+NCSeF2c0i4xOYgZlIYMqlgS8k1zfdBt/JHmG3tm1JgohVj+pm42RfBAF d0y05zz5wysQOw1M4WlWKZH0ameM+0/AGqspeZushWay8Q4yx1dO/6MeyPy/NwE/MKEsCOPV aN28DndN3iKOyriCQt/IhG/n6ORPRGyei3JYqxsnpW36BOmSPWJ7Qj2pFw53p5coPOEDL8mN Ique0LJZ3zVFVMa4i7HtqIEnYO+ZnKx2G8aLsHEir2pzBv6tMwlgETcUTVfK1ePN7OzhYy4q a38hMWzk0db2V+gOlAu6SuAi1ANkcPhCPUWxPIvXiNdd9iwe5gOzFy0FoZxj22rFwgUX8wcc cfWStgoE1MGE9G5zrqc01R0x7by8BOFkImAwTyJ9vq4jG+w7Npky3PhoHPgCT5knV7Q91U2I TqPOQBcMda0B+4LOaElb1sXqe44dHwcg4dMVngaea5xL7winSqU2Gtm6pqFAGut5F7JiYhPb dGUHJPMS67ONkKe5ARu/Z/r9XoFe2TxpkvNJ/+QJQ3PCiJ6ya31ij6HOIfFbZr3xlTyU/DvG SejIvDK/SnJMw+/x60bYAshYBp0uQgih1ugtoZh7cnKj3KfhlpXT0mL8rsl1QHsAEQEAAcLB ZQQYAQgADwUCWoWYyAIbDAUJCWYBgAAKCRDGf7EG5O0XHs2xD/92sa5L6gafP/rRKfo9u3/w s+7E/kKPgG4VGDeirLo8hbinCjPr0cfZ7OgDDvp0zy6lTdZc2tcHsEbiPqblzaSZimV5Y3EQ eIzz0UhY6YdDELr8pvdnB8qnOJHXgWmZTRYkRgxFOWI3v4STmOYZQ7MFv0kHBfV3htCjYTHS Qx2jQO4CTbcSEbkVwNv56OiZroabrHRf0WUSyzElf13P/MRFjUJFYYZDqc0iOWUh4QeXbFiY fLYpOCtm0nqaDdG1VD4jMpKq1FKBvTw4id1i7pONENd4BB7ytnDvKGdVI6oDnGUBsc5VUrEa h1PbbshNMbRtFigeMe8998jWhK4jQzeuDr0FSBlhxbluGfyMUgk7s6aBC9BOsdDkgtJk1Fd/ j9sWOj8Pxzc4lMQRfygm+QxxLdqa36Qh3oK+jfK7362CXlqBfb9ryerjfFGY4VqMBzQ+BFtj lYZSdVzGWlmLD9D88wzeByIZMScQPvrXSFwPO2/TuOQNCo0VHcgHpNFzeMRK2eT8bhry+dlq U+0Kxy2gQijw9j/EZlqR3w053EwUrfAAmHHeYPimXK4pc8oSw0s1A6hQO7Vc0SgblF8taFTM UhRR7xZg+l5vybAgrDYVL75b9CDscZqd7WVmZx+xU23sUG6SaxXI7PV6bPuMug0fD3SAsieu +vypQ3jCcUKGrA== Message-ID: Date: Thu, 5 Jul 2018 13:52:02 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="MsZs8g17MnNnhNbzR0cOTbY5gupnIvtkj" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Fri, 06 Jul 2018 18:31:18 +0000 Cc: Bitcoin Protocol Discussion Subject: [bitcoin-dev] BIP 174 thoughts X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jul 2018 11:52:09 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --MsZs8g17MnNnhNbzR0cOTbY5gupnIvtkj Content-Type: multipart/mixed; boundary="hGfaFY68jyO83HMk0dpT1P6Dg827fE0oW"; protected-headers="v1" From: matejcik To: Pieter Wuille Cc: Achow101 , Bitcoin Protocol Discussion , Tomas Susanka Message-ID: Subject: [bitcoin-dev] BIP 174 thoughts References: <881def14-696c-3207-cf6c-49f337ccf0d1@satoshilabs.com> <95137ba3-1662-b75d-e55f-893d64c76059@satoshilabs.com> In-Reply-To: --hGfaFY68jyO83HMk0dpT1P6Dg827fE0oW Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 4.7.2018 20:35, Achow101 wrote: > You cannot simply reject PSBTs for having conflicting values for the sa= me key. Especially > for the Partial Signatures, you can have two signatures for the same pu= bkey that are both (...) > order to avoid the conflict. That complicates things and is much more a= nnoying to deal with. > So a simple solution is to allow the combiner to choose any value it wa= nts as it is likely that > both values are valid. > > Allowing combiners to choose any value also allows for intelligent comb= iners to choose the > correct values in the case of conflicts. A smart combiner could, when c= ombining redeem scripts > and witness scripts, check that the redeem scripts and witness scripts = match the hash provided > in the UTXO (or in the redeem script) and choose the correct redeem scr= ipt and witness script > accordingly if there were, for some reason, a conflict there. > > Can you explain why it would be unsafe for combiners to arbitrarily cho= ose a value? We're worried that the "pick one of non-deterministic signatures" is a special case and that most fields don't have this property: * conflicts in UTXOs, sighash type, redeem/witness scripts, derivation paths, are at best a recoverable error, usually an unrecoverable error, at worst malicious activity. * conflict in finalized scripts, in case more than one valid finalization exists, might indicate that the Finalizers picked different ND signatures, or it might indicate two possible interpretations of the transaction (see next point). Picking arbitrarily in the latter case would be an error. * even for partial signatures: if two Signers with the same public key use different sighash types, the Combiner shouldn't pick the winning one arbitrarily. It seems generally safer to default to rejecting conflicts, and explicitly allowing the Combiner to process them intelligently if it understands the relevant fields. On 4.7.2018 21:09, Pieter Wuille wrote: > combined again may fail. So I think we should see it the other way: we > choose the keys in such a way that picking arbitrarily is safe. If > there really is a future extension for which it would not be the case > that picking arbitrarily is acceptable, more data can be moved to the > keys, and leave the actual resolution strategy to the Finalizer. I like this explanation and I think that if nothing else, this should be spelled out explicitly in the spec. But I don't think it answers the above points very well. > An alternative would be to have a fixed resolution strategy (for > example, when combining multiple PSBTs, pick the value from the first > one that has a particular key set), but I don't think this adds very > much - if picking the first is fine, picking a arbitrary one should be > fine too. Agreed. >> * Signing records with unknown keys. >> There's been some talk about this at start, but there should be a clea= r >> strategy for Signers when unknown fields are encountered. We intend to= >> implement the rule: "will not sign an input with any unknown fields >> present". >> Maybe it is worth codifying this behavior in the standard, or maybe >> there should be a way to mark a field as "optional" so that strict >> Signers know they can _safely_ ignore the unknown field. >=20 > Can you envision a situation in which this is needed? In every > scenario I can come up with, the worst that can happen is that the > resulting signature is just invalid. (...) > I believe that what you're trying to accomplish is preventing signing > something you don't understand, but that's an independent issue. We're actually trying to prevent signing something we don't _intend_. I agree with your response, and I also think that in technical sense, the worst that can happen is an invalid signature. Our concern is twofold= : 1. the produced signature is most likely valid, _for a different transaction_ than the Creator intended. It is a transaction that the Signer must have authorized, so we could argue that they would not mind if that unintended transaction was published. Nevertheless, this opens an attack surface. 2. defence in depth: the "worst that can happen" assumption is only valid if the rest of the protocol does things right. At an intersection lies an example: say there's a fork that changes format of inputs in the network serialized tx, in a way that happens to be invisible to PSBT (because scripts must be set to empty). To differentiate, we add a "Fork ID", but old Signers will still produce signatures valid on the original chain - and, importantly, this will be invisible to users. This is of course contrived and several mistakes would have to happen at the same time, but that's what defence in depth is for. > Here is (perhaps far fetched) example of why it may not be desirable > to reject unknown fields when signing. Imagine an extension is defined This is definitely worth taking into consideration. But I'd argue that some way of signalling "optionalness" is a better match here. Alternately, a pre-processor with the appropriate knowledge can strip the new fields for a legacy Signer - that's what I expect to happen in practice. > I would not be opposed to having fields with an explicit flag bit that > says "Don't sign if you don't understand this", but I expect that that > can also be left for future extensions. It seems safer to consider this flag be on by default, and leave it to a future extension to allow non-mandatory fields. The worst case here is that legacy Signers can't natively process new PSBTs (solvable by a preprocessor) - as opposed to legacy Signers signing unintended values. regards m. --hGfaFY68jyO83HMk0dpT1P6Dg827fE0oW-- --MsZs8g17MnNnhNbzR0cOTbY5gupnIvtkj Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJbPgZiAAoJEMZ/sQbk7Rce/YMP/3Tr1RzWrADUxAiN+v6mhI7N K05OMQt19BYLZX+AHkNzJ4J9g7IUtSdZtzd7ujHa1XwP2K9vTipU5EZf1zfTu5UT qPuLoSv3gXUhUdkZjE/SXOuKqEpARw33cG46GIR9O222HcFgCrosT0WHvRQflpEE SPo7DbVo5cGrV1jZCphjJKbLCKf7y4SPWl1kNSn0B/m6GbGN+wJiBL1KgJJe8hdl i22UzLW8PfYDRskfSXvLrfmGyFLRgjLgazlSu42aMdI9v61U9t0VjFGMyXHMBaEk NmqdhfAmUTZbU3QFpajSVSwceL3fmFoRNVPyL/3Da//7vHzGjjOcm7HO4VjznWWU N1hpL6pqGK8NWa7K3kI3m5yu/yaUiNX4WpxtVBETi4eZwT7H7DB4hNW2/ihUxxvo MiZ1YP9k2gp3HXdLSn6yPOuwNoszVX3aaZw1dYf8QU2f73tyADA/zGJYiNyNJ+Ii YXB+/fyRML4dITNzqgxcO8FcjaP0j/njljx/wez958mKehZieuzKq/4kx/T6o4uB 7m0f9UOxJYwZgRJtYldtkRCCw9ykpKW8tYeyGYQgIUjXTHrrgXFES7OgUFgZTmqQ ZFV0mCf3A3klbZ4nOgJd/05PaoBwDzJmIz27VTaZwHHiuoGuxMWlYOFm79YaAgQQ gk8gaAkVGy8yInqZ6v9W =froO -----END PGP SIGNATURE----- --MsZs8g17MnNnhNbzR0cOTbY5gupnIvtkj--