[Bitcoin-ml] Flexible Transactions are canonical

Tomas tomas at bitcrust.org
Fri Sep 8 09:30:24 UTC 2017

On Fri, Sep 8, 2017, at 10:25, Tom Zander via bitcoin-ml wrote:
> As such the action of signing a transaction turns it into a canonical
> shape.
> And that means that for signed transactions non-canonical does indeed
> mean 
> malleable.

I am sorry, but that is not what canonical means. A format has a
canonical form if there is only one way to represent the same logical
information. It doesn't become a canonical form just by calling the byte
sequence "canonical". (In that case *every* format would have a
canonical form!)

In FlexTrans, I can construct a transaction
[inputs] [outputs] 
[outputs] [inputs]

which are logically the same.

Hence we say, there is no canonical form. This has absolutely nothing to
do with either malleability or signing the transaction. There isn't
suddenly a canonical form when you sign it; there are still multiples
ways to construct the same logical transaction, each of which would
yield a different a byte sequence, different signature and different id.

It can be argued that it is not an issue (in the current format outputs
can also be reordered), but it can also be argued this is weakness as we
are encoding meaningless information.

Consider for instance tooling that uses a SQL backend to store its
information (like http://blockchainsql.io/). Currently they can
reconstruct every transaction's byte sequence from the data. With
FlexTrans they would have to add some "tag order" in order to so even
though this has no meaning.

Tomas van der Wansem

More information about the bitcoin-ml mailing list