📅 Original date posted:2018-07-04
📝 Original message:Hi,
On July 4, 2018 6:19 AM, matejcik <jan.matejek at satoshilabs.com> wrote:
>
>
> hello,
>
> we still have some concerns about the BIP as currently proposed - not
>
> about the format or data contents, but more about strictness and
>
> security properties. I have raised some in the previous e-mails, but
>
> they might have been lost in the overall talk about format.
>
> - Choosing from duplicate keys when combining.
>
> We believe that "choose whichever value it wishes" is not a good
>
> resolution strategy. We propose to either change this to "in case of
>
> conflicts, software MUST reject the conflicting PSBTs", or explain in
>
> more detail why picking at random is a safe choice.
You cannot simply reject PSBTs for having conflicting values for the same key. Especially
for the Partial Signatures, you can have two signatures for the same pubkey that are both
completely valid. This situation could happen, for example, if a signer that does not use deterministic
k values can sign multiple inputs but one input is missing a UTXO so it doesn't sign it. So it receives
one PSBT and signs the first input but not the second. It receives a PSBT for the same transaction
which has the second input's UTXO but does not have its signatures for the first input. The signer
would sign both inputs. When the two PSBTs are combined (suppose the first PSBT has other
signatures too), you will have two keys that have different values. The different values are both
valid signatures, just with different k values since they were randomly generated instead of
deterministically. If we fail to merge these, then you could potentially have a situation where
nothing can be done with the PSBTs now, or now everyone has to resign and in some specific
order to avoid the conflict. That complicates things and is much more annoying to deal with.
So a simple solution is to allow the combiner to choose any value it wants as it is likely that
both values are valid.
Allowing combiners to choose any value also allows for intelligent combiners to choose the
correct values in the case of conflicts. A smart combiner could, when combining redeem scripts
and witness scripts, check that the redeem scripts and witness scripts match the hash provided
in the UTXO (or in the redeem script) and choose the correct redeem script and witness script
accordingly if there were, for some reason, a conflict there.
Can you explain why it would be unsafe for combiners to arbitrarily choose a value?
>
> - Signing records with unknown keys.
>
> There's been some talk about this at start, but there should be a clear
>
> strategy for Signers when unknown fields are encountered. We intend to
>
> implement the rule: "will not sign an input with any unknown fields
>
> present".
>
> Maybe it is worth codifying this behavior in the standard, or maybe
>
> there should be a way to mark a field as "optional" so that strict
>
> Signers know they can safely ignore the unknown field.
I think that requiring there to be no unknowns is a safe change.
>
> And two minor points:
>
> - Fields with empty keys.
>
> This might be inferred from the definition, but is probably worth
>
> spelling out explicitly: If a field definition states that the key data
>
> is empty, an implementation MUST enforce this and reject PSBTs that
>
> contain non-empty data.
>
> We suggest adding something to the effect of:
>
> "If a key or value data in a field doesn't match the specified format,
>
> the PSBT is invalid. In particular, if key data is specified as "none"
>
> but the key contains data beyond the type specifier, implementation MUST
>
> reject the PSBT."
>
> (not sure about the languge, this should of course allow processing
>
> unknown fields)
Agreed.
>
> - "Combiner can detect inconsistencies"
>
> Added in response to this comment [1], the current wording looks like
>
> it's describing what the Combiner is capable of, as opposed to
>
> prescribing what the combiner is allowed to do.
>
> We suggest changing to something like:
>
> "For every field type that the Combiner understands, it MAY also refuse
>
> to combine PSBTs that have inconsistencies in that field, or cause a
>
> conflict when combined."
Agreed.
Andrew
Achow101 [ARCHIVE] /
npub1wh…d26cj
2023-06-07 18:13:31
in reply to nevent1q…pzl5
Author Public Key
npub1wh7lmdsh2r0ygnp39pk7k5a7mll5x5w44pwn6ekvdvmwjhazr5rqxd26cjPublished at
2023-06-07 18:13:31Event JSON
{
"id": "d6d309f5df8a4a2492ca7de80a216e33d65a35098574ea31a2314e7d1f74cf3c",
"pubkey": "75fdfdb61750de444c31286deb53bedfff4351d5a85d3d66cc6b36e95fa21d06",
"created_at": 1686161611,
"kind": 1,
"tags": [
[
"e",
"e2ef528e27bce6531c71dea82703598c39f44511fcf22e62030c4e0f0e2b3e97",
"",
"root"
],
[
"e",
"f152934dde2e8a7dab6cb8940cd0abcfef116b2943a85ed91b4ca5e3e00a868d",
"",
"reply"
],
[
"p",
"3a1f55a6a0e37109f7404e07ba52112f4c689363e4c7aa20d99d4785ede262ab"
]
],
"content": "📅 Original date posted:2018-07-04\n📝 Original message:Hi,\n\n\nOn July 4, 2018 6:19 AM, matejcik \u003cjan.matejek at satoshilabs.com\u003e wrote:\n\n\u003e \n\u003e \n\u003e hello,\n\u003e \n\u003e we still have some concerns about the BIP as currently proposed - not\n\u003e \n\u003e about the format or data contents, but more about strictness and\n\u003e \n\u003e security properties. I have raised some in the previous e-mails, but\n\u003e \n\u003e they might have been lost in the overall talk about format.\n\u003e \n\u003e - Choosing from duplicate keys when combining.\n\u003e \n\u003e We believe that \"choose whichever value it wishes\" is not a good\n\u003e \n\u003e resolution strategy. We propose to either change this to \"in case of\n\u003e \n\u003e conflicts, software MUST reject the conflicting PSBTs\", or explain in\n\u003e \n\u003e more detail why picking at random is a safe choice.\n\nYou cannot simply reject PSBTs for having conflicting values for the same key. Especially\nfor the Partial Signatures, you can have two signatures for the same pubkey that are both\ncompletely valid. This situation could happen, for example, if a signer that does not use deterministic\nk values can sign multiple inputs but one input is missing a UTXO so it doesn't sign it. So it receives\n one PSBT and signs the first input but not the second. It receives a PSBT for the same transaction\nwhich has the second input's UTXO but does not have its signatures for the first input. The signer\nwould sign both inputs. When the two PSBTs are combined (suppose the first PSBT has other \nsignatures too), you will have two keys that have different values. The different values are both\nvalid signatures, just with different k values since they were randomly generated instead of\ndeterministically. If we fail to merge these, then you could potentially have a situation where\nnothing can be done with the PSBTs now, or now everyone has to resign and in some specific\norder to avoid the conflict. That complicates things and is much more annoying to deal with.\nSo a simple solution is to allow the combiner to choose any value it wants as it is likely that\nboth values are valid.\n\nAllowing combiners to choose any value also allows for intelligent combiners to choose the\ncorrect values in the case of conflicts. A smart combiner could, when combining redeem scripts\nand witness scripts, check that the redeem scripts and witness scripts match the hash provided\nin the UTXO (or in the redeem script) and choose the correct redeem script and witness script\naccordingly if there were, for some reason, a conflict there.\n\nCan you explain why it would be unsafe for combiners to arbitrarily choose a value?\n\n\u003e \n\u003e - Signing records with unknown keys.\n\u003e \n\u003e There's been some talk about this at start, but there should be a clear\n\u003e \n\u003e strategy for Signers when unknown fields are encountered. We intend to\n\u003e \n\u003e implement the rule: \"will not sign an input with any unknown fields\n\u003e \n\u003e present\".\n\u003e \n\u003e Maybe it is worth codifying this behavior in the standard, or maybe\n\u003e \n\u003e there should be a way to mark a field as \"optional\" so that strict\n\u003e \n\u003e Signers know they can safely ignore the unknown field.\n\nI think that requiring there to be no unknowns is a safe change.\n\n\u003e \n\u003e And two minor points:\n\u003e \n\u003e - Fields with empty keys.\n\u003e \n\u003e This might be inferred from the definition, but is probably worth\n\u003e \n\u003e spelling out explicitly: If a field definition states that the key data\n\u003e \n\u003e is empty, an implementation MUST enforce this and reject PSBTs that\n\u003e \n\u003e contain non-empty data.\n\u003e \n\u003e We suggest adding something to the effect of:\n\u003e \n\u003e \"If a key or value data in a field doesn't match the specified format,\n\u003e \n\u003e the PSBT is invalid. In particular, if key data is specified as \"none\"\n\u003e \n\u003e but the key contains data beyond the type specifier, implementation MUST\n\u003e \n\u003e reject the PSBT.\"\n\u003e \n\u003e (not sure about the languge, this should of course allow processing\n\u003e \n\u003e unknown fields)\n\nAgreed.\n\n\u003e \n\u003e - \"Combiner can detect inconsistencies\"\n\u003e \n\u003e Added in response to this comment [1], the current wording looks like\n\u003e \n\u003e it's describing what the Combiner is capable of, as opposed to\n\u003e \n\u003e prescribing what the combiner is allowed to do.\n\u003e \n\u003e We suggest changing to something like:\n\u003e \n\u003e \"For every field type that the Combiner understands, it MAY also refuse\n\u003e \n\u003e to combine PSBTs that have inconsistencies in that field, or cause a\n\u003e \n\u003e conflict when combined.\"\n\nAgreed.\n\n\nAndrew",
"sig": "314bed1520d4a14aa5e09830ba0cd11a4920c05f661e937fd260ab4ee63a3ba5165982222e6b7aedd99c4e8fa24bb1e59b1066502e83bf38a9e00bac142fd105"
}