[Bitcoin-ml] Flexible Transactions are canonical

Tom Zander tomz at freedommail.ch
Wed Sep 6 18:22:37 UTC 2017

As some people seems to be spreading misunderstanings about Flexible 
Transactions not being canonical, I thought I’d clear that up as soon as I 

The accusation goes that since Flexible Transactions is very flexible about 
the ordering of tags, this becomes an issue as software could then re-encode 
the transaction which breaks the transaction-id.

This accusation shows a misunderstanding of what the malleability attack is.
The malleability attack is to change the transaction ID, *without breaking 
the signatures*.

Flexible transactions are canonical. There is no doubt about that. There is 
no way to change the transaction without breaking the signatures.

The normal flow of transaction creation is that a user creates a transaction, 
then signs it. What is important to realize that in cryptographic signing 
you sign a byte-array of data. Any byte is changed, reordered etc, and the 
signature will fail. As such, as in all crypto, the canonical format of a 
transaction is the list of bytes that we include in a block. When you 
realize this basic fact you see that deadalnix's idea makes no sense.

Let me explain using less technical jargon;

Imagine you sign an email. What deadalnix says is that you can't read it 
into MSWord and then write it out again because Word may change some details 
in the roundtrip. And thus that signed email would no longer validate. This 
is naturally true.
But the action of signing the email has as its sole purpose to make it 
provably read-only. Anyone edits it, and the world will know. So like Word 
refuses to write out a document that is marked read-only, any good bitcoin 
software will not try to overwrite an already signed transaction.

So what any software would do is check the signature and then after they 
realize the transaction is "Okay". Then you may read it in Word in read-only 
mode. But they would never ever write it out again. Its signed, you can't 
change it anyway.

Tl;dr. A (partially) signed transaction is like a read-only document. You 
should treat it like such and if software tries to re-encode it, we have to 
conclude that you are doing it wrong.

Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

More information about the bitcoin-ml mailing list