[Bitcoin-ml] Flexible Transactions are canonical
Tom Zander
tomz at freedommail.ch
Wed Sep 6 18:22:37 UTC 2017
As some people seems to be spreading misunderstanings about Flexible
Transactions not being canonical, I thought I’d clear that up as soon as I
can.
The accusation goes that since Flexible Transactions is very flexible about
the ordering of tags, this becomes an issue as software could then re-encode
the transaction which breaks the transaction-id.
This accusation shows a misunderstanding of what the malleability attack is.
The malleability attack is to change the transaction ID, *without breaking
the signatures*.
Flexible transactions are canonical. There is no doubt about that. There is
no way to change the transaction without breaking the signatures.
The normal flow of transaction creation is that a user creates a transaction,
then signs it. What is important to realize that in cryptographic signing
you sign a byte-array of data. Any byte is changed, reordered etc, and the
signature will fail. As such, as in all crypto, the canonical format of a
transaction is the list of bytes that we include in a block. When you
realize this basic fact you see that deadalnix's idea makes no sense.
Let me explain using less technical jargon;
Imagine you sign an email. What deadalnix says is that you can't read it
into MSWord and then write it out again because Word may change some details
in the roundtrip. And thus that signed email would no longer validate. This
is naturally true.
But the action of signing the email has as its sole purpose to make it
provably read-only. Anyone edits it, and the world will know. So like Word
refuses to write out a document that is marked read-only, any good bitcoin
software will not try to overwrite an already signed transaction.
So what any software would do is check the signature and then after they
realize the transaction is "Okay". Then you may read it in Word in read-only
mode. But they would never ever write it out again. Its signed, you can't
change it anyway.
Tl;dr. A (partially) signed transaction is like a read-only document. You
should treat it like such and if software tries to re-encode it, we have to
conclude that you are doing it wrong.
--
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel
More information about the bitcoin-ml
mailing list