[Bitcoin-ml] Flexible Transactions are canonical

Blockfreight™ | Julian Smith julian.smith at blockfreight.com
Wed Sep 6 22:14:08 UTC 2017


Thank you Tom.

Nice explanation.

Julian

On Thu, 7 Sep 2017 at 4:23 am, Tom Zander via bitcoin-ml <
bitcoin-ml at lists.linuxfoundation.org> wrote:

> As some people seems to be spreading misunderstanings about Flexible
> Transactions not being canonical, I thought I’d clear that up as soon as I
> can.
>
> The accusation goes that since Flexible Transactions is very flexible about
> the ordering of tags, this becomes an issue as software could then
> re-encode
> the transaction which breaks the transaction-id.
>
> This accusation shows a misunderstanding of what the malleability attack
> is.
> The malleability attack is to change the transaction ID, *without breaking
> the signatures*.
>
> Flexible transactions are canonical. There is no doubt about that. There is
> no way to change the transaction without breaking the signatures.
>
> The normal flow of transaction creation is that a user creates a
> transaction,
> then signs it. What is important to realize that in cryptographic signing
> you sign a byte-array of data. Any byte is changed, reordered etc, and the
> signature will fail. As such, as in all crypto, the canonical format of a
> transaction is the list of bytes that we include in a block. When you
> realize this basic fact you see that deadalnix's idea makes no sense.
>
> Let me explain using less technical jargon;
>
> Imagine you sign an email. What deadalnix says is that you can't read it
> into MSWord and then write it out again because Word may change some
> details
> in the roundtrip. And thus that signed email would no longer validate. This
> is naturally true.
> But the action of signing the email has as its sole purpose to make it
> provably read-only. Anyone edits it, and the world will know. So like Word
> refuses to write out a document that is marked read-only, any good bitcoin
> software will not try to overwrite an already signed transaction.
>
> So what any software would do is check the signature and then after they
> realize the transaction is "Okay". Then you may read it in Word in
> read-only
> mode. But they would never ever write it out again. Its signed, you can't
> change it anyway.
>
> Tl;dr. A (partially) signed transaction is like a read-only document. You
> should treat it like such and if software tries to re-encode it, we have to
> conclude that you are doing it wrong.
>
> --
> Tom Zander
> Blog: https://zander.github.io
> Vlog: https://vimeo.com/channels/tomscryptochannel
> _______________________________________________
> bitcoin-ml mailing list
> bitcoin-ml at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-ml/attachments/20170906/4c968227/attachment.html>


More information about the bitcoin-ml mailing list