[Bitcoin-development] [softfork proposal] Strict DER signatures

Pieter Wuille pieter.wuille at gmail.com
Tue Feb 3 23:38:42 UTC 2015


On Tue, Feb 3, 2015 at 10:15 AM, Pieter Wuille <pieter.wuille at gmail.com> wrote:
>>> The much simpler alternative is just adding this to BIP66's DERSIG
>>> right now, which is a one-line change that's obviously softforking. Is
>>> anyone opposed to doing so at this stage?

I'm retracting this proposed change.

Suhar Daftuas pointed out that there remain edge-cases which are not
covered (a 33-byte R or S whose first byte is not a zero). The intent
here is really making sure that signature validation and parsing can
be entirely separated, and that signature checking itself does not
need a third return value ("invalid encoding", in addition to "valid
signature" and "invalid signature"). If we don't want to make
assumptions about how that implementation works, the only guaranteed
way of doing that is requiring that R and S are in fact within the
range allowed by secp256k1, which would require an integer decoder
inside the signature encoding checker. I consider that to be
unreasonable.

In addition, a much cleaner solution that covers this as well has
already been proposed: only allow 0 (the empty byte vector) as invalid
signature. That would 100% align signature validity with decoding, and
is much simpler to implement.

-- 
Pieter




More information about the bitcoin-dev mailing list