📅 Original date posted:2015-11-03
📝 Original message:On Tuesday, November 03, 2015 9:44:02 PM Christian Decker wrote:
> Ok, so assuming we can get a connected component of upgraded nodes that
> relay both the transaction and the associated external scripts then we
> could just piggyback the external scripts on top of the normal messages.
> Non-upgraded nodes will read the entire two-part message but only parse the
> classical transaction, dropping the external script. Validation rules for
> upgraded nodes are the same as before: if the attached signatures are
> invalid the entire TX is dropped. We have to commit to the external scripts
> used during the creation of a block. I think the easiest way to add this
> commitment is the coinbase input I guess, and following the transaction
> list a new list of signature lists is shipped with the rest of the block.
> Non-upgraded will ignore it as before.
I'd throw it in the merged-mining tree; it's not ideal, but it can be swapped
out for something better when it's ready (I'm working on such a BIP -
hopefully it can be before or at the same time as a SW deployment).
> Would that work? It all hinges on having upgraded miners in a connected
> component otherwise non-upgraded nodes will drop the external scripts on
> the way (since they parse and then reconstruct the messages along the
> path). But if it works this could be a much nicer solution.
It's actually better than that. If miners don't get the SW transactions, then
they just won't mine them, and the wallets will continue to rebroadcast until
they do. But realistically, the entire network will likely be running SW-
capable nodes long before any wallets have deployed SW transactions.
> > > As for open venues for malleability, I'm not sure we can fix them at
> > > all, after all the ability of a single signer to doublespend by
> > > appending/replacing inputs/outputs in an arbitrary fashion is not
> > > fixable IMHO and will cause any future transaction building on its
> > > outputs to be orphaned. What would the perfect properties for such a
> > > fix be?
> >
> > The problem isn't changing inputs/outputs, but that such changes
> > invalidate later spends. In particular, note that wallets *should
> > ideally* be actively trying to make transfers using multiple malleated
> > versions of the same payment.
>
> So this is indeed a form of desired malleability we will likely not be able
> to fix. I'd argue that this goes more into the direction of double-spending
> than a form of malleability, and is mostly out of scope for this BIP. As
> the abstract mentions this BIP attempts to eliminate damage incurred by
> malleability in the third party modification scenario and in the multisig
> scenario, with the added benefit of enabling transaction templating. If we
> can get the segregated witnesses approach working all the better, we don't
> even have the penalty of increased UTXO size. The problem of singlesig
> users doublespending their outputs to update transactions remains a problem
> even then.
I don't know what you're trying to say here. Double spending to the same
destination(s) and malleability are literally the same thing. Things affected
by malleability are still just as broken even with this BIP - whether it is
triggered by a third-party or not is not very relevant.
> > So the way to make an anti-malleable wallet, would be to strictly enforce
> > the
> > no-address-reuse rule on payments received (note this has no effect on
> > other/current wallets) and rely only on the hash of that
> > scriptPubKey+value for the input in subsequent transactions. This way,
> > no matter what inputs or
> > other outputs the transaction paying the address/invoice uses, the
> > subsequent
> > transaction ignores them and remains valid. (I am not suggesting this as
> > a mandatory change that all wallets must adopt to receive the current
> > semi- malleability protection you propose - only that it be *possible*
> > for wallets
> > to upgrade to or offer in the future.)
>
> Sounds very interesting. That would then be a new signature checking opcode
> I guess that would allow the transaction hash in the input be replaced by
> the hash of the serialized output it is spending? That way the transaction
> would not be detached from the coins unless the amount or the scriptpubkey
> (containing the address) is modified. So a user may add new outputs and
> inputs to an existing transaction like you mentioned.
Correct...
> This does not help someone receiving funds from a sender to build new
> transactions on top since the sender may simply doublespend its output
> before it is confirmed. I think this is probably best addressed in a
> separate proposal.
Huh??
Luke
Luke Dashjr [ARCHIVE] /
npub1tf…rfq0n
2023-06-07 17:44:06
in reply to nevent1q…j77m
Author Public Key
npub1tfk373zg9dnmtvxnpnq7s2dkdgj37rwfj3yrwld7830qltmv8qps8rfq0nPublished at
2023-06-07 17:44:06Event JSON
{
"id": "2f95e337f6efab0bb29feb62630948f46b139ebd6ef5d99322fe6b49617f671c",
"pubkey": "5a6d1f44482b67b5b0d30cc1e829b66a251f0dc99448377dbe3c5e0faf6c3803",
"created_at": 1686159846,
"kind": 1,
"tags": [
[
"e",
"59e25977e31b6de547dc99825f6bc9fc8d0d57f8dc5978611471ad70444e93b2",
"",
"root"
],
[
"e",
"f3c44a5c4e8fb97d57c2a2e7264e8333b7c6c0b468b3ca4fd3b569ea4d583535",
"",
"reply"
],
[
"p",
"72cd40332ec782dd0a7f63acb03e3b6fdafa6d91bd1b6125cd8b7117a1bb8057"
]
],
"content": "📅 Original date posted:2015-11-03\n📝 Original message:On Tuesday, November 03, 2015 9:44:02 PM Christian Decker wrote:\n\u003e Ok, so assuming we can get a connected component of upgraded nodes that\n\u003e relay both the transaction and the associated external scripts then we\n\u003e could just piggyback the external scripts on top of the normal messages.\n\u003e Non-upgraded nodes will read the entire two-part message but only parse the\n\u003e classical transaction, dropping the external script. Validation rules for\n\u003e upgraded nodes are the same as before: if the attached signatures are\n\u003e invalid the entire TX is dropped. We have to commit to the external scripts\n\u003e used during the creation of a block. I think the easiest way to add this\n\u003e commitment is the coinbase input I guess, and following the transaction\n\u003e list a new list of signature lists is shipped with the rest of the block.\n\u003e Non-upgraded will ignore it as before.\n\nI'd throw it in the merged-mining tree; it's not ideal, but it can be swapped \nout for something better when it's ready (I'm working on such a BIP - \nhopefully it can be before or at the same time as a SW deployment).\n\n\u003e Would that work? It all hinges on having upgraded miners in a connected\n\u003e component otherwise non-upgraded nodes will drop the external scripts on\n\u003e the way (since they parse and then reconstruct the messages along the\n\u003e path). But if it works this could be a much nicer solution.\n\nIt's actually better than that. If miners don't get the SW transactions, then \nthey just won't mine them, and the wallets will continue to rebroadcast until \nthey do. But realistically, the entire network will likely be running SW-\ncapable nodes long before any wallets have deployed SW transactions.\n\n\u003e \u003e \u003e As for open venues for malleability, I'm not sure we can fix them at\n\u003e \u003e \u003e all, after all the ability of a single signer to doublespend by\n\u003e \u003e \u003e appending/replacing inputs/outputs in an arbitrary fashion is not\n\u003e \u003e \u003e fixable IMHO and will cause any future transaction building on its\n\u003e \u003e \u003e outputs to be orphaned. What would the perfect properties for such a\n\u003e \u003e \u003e fix be?\n\u003e \u003e \n\u003e \u003e The problem isn't changing inputs/outputs, but that such changes\n\u003e \u003e invalidate later spends. In particular, note that wallets *should\n\u003e \u003e ideally* be actively trying to make transfers using multiple malleated\n\u003e \u003e versions of the same payment.\n\u003e \n\u003e So this is indeed a form of desired malleability we will likely not be able\n\u003e to fix. I'd argue that this goes more into the direction of double-spending\n\u003e than a form of malleability, and is mostly out of scope for this BIP. As\n\u003e the abstract mentions this BIP attempts to eliminate damage incurred by\n\u003e malleability in the third party modification scenario and in the multisig\n\u003e scenario, with the added benefit of enabling transaction templating. If we\n\u003e can get the segregated witnesses approach working all the better, we don't\n\u003e even have the penalty of increased UTXO size. The problem of singlesig\n\u003e users doublespending their outputs to update transactions remains a problem\n\u003e even then.\n\nI don't know what you're trying to say here. Double spending to the same \ndestination(s) and malleability are literally the same thing. Things affected \nby malleability are still just as broken even with this BIP - whether it is \ntriggered by a third-party or not is not very relevant.\n\n\u003e \u003e So the way to make an anti-malleable wallet, would be to strictly enforce\n\u003e \u003e the\n\u003e \u003e no-address-reuse rule on payments received (note this has no effect on\n\u003e \u003e other/current wallets) and rely only on the hash of that\n\u003e \u003e scriptPubKey+value for the input in subsequent transactions. This way,\n\u003e \u003e no matter what inputs or\n\u003e \u003e other outputs the transaction paying the address/invoice uses, the\n\u003e \u003e subsequent\n\u003e \u003e transaction ignores them and remains valid. (I am not suggesting this as\n\u003e \u003e a mandatory change that all wallets must adopt to receive the current\n\u003e \u003e semi- malleability protection you propose - only that it be *possible*\n\u003e \u003e for wallets\n\u003e \u003e to upgrade to or offer in the future.)\n\u003e \n\u003e Sounds very interesting. That would then be a new signature checking opcode\n\u003e I guess that would allow the transaction hash in the input be replaced by\n\u003e the hash of the serialized output it is spending? That way the transaction\n\u003e would not be detached from the coins unless the amount or the scriptpubkey\n\u003e (containing the address) is modified. So a user may add new outputs and\n\u003e inputs to an existing transaction like you mentioned. \n\nCorrect...\n\n\u003e This does not help someone receiving funds from a sender to build new\n\u003e transactions on top since the sender may simply doublespend its output\n\u003e before it is confirmed. I think this is probably best addressed in a\n\u003e separate proposal.\n\nHuh??\n\nLuke",
"sig": "0549a73cd02963632abd49de0cbc9eb39fde9f5c774ebba654dbe39eba737f250859b953dafc90bf862a6691acf10bf536b60a41e6ec5a658a998888201981f7"
}