Test LowS in standardness, removes nuisance malleability vector. #6769

pull gmaxwell wants to merge 1 commits into bitcoin:master from gmaxwell:no_nuisance_malleability changing 1 files +2 −1
  1. gmaxwell commented at 3:52 AM on October 6, 2015: contributor

    This adds SCRIPT_VERIFY_LOW_S to STANDARD_SCRIPT_VERIFY_FLAGS which will make the node require the canonical 'low-s' encoding for ECDSA signatures when relaying or mining.

    Consensus behavior is unchanged.

    The rational is explained in a81cd96805ce6b65cca3a40ebbd3b2eb428abb7b: Absent this kind of test ECDSA is not a strong signature as given a valid signature {r, s} both that value and {r, -s mod n} are valid. These two encodings have different hashes allowing third parties a vector to change users txids. These attacks are avoided by picking a particular form as canonical and rejecting the other form(s); in the of the LOW_S rule, the smaller of the two possible S values is used.

    If widely deployed this change would eliminate the last remaining known vector for nuisance malleability on boring SIGHASH_ALL p2pkh transactions. On the down-side it will block most transactions made by sufficiently out of date software.

    Unlike the other avenues to change txids on boring transactions this one was randomly violated by all deployed bitcoin software prior to its discovery. So, while other malleability vectors where made non-standard as soon as they were discovered, this one has remained permitted. Even BIP62 did not propose applying this rule to old version transactions, but conforming implementations have become much more common since BIP62 was initially written.

    Bitcoin Core has produced compatible signatures since a28fb70e in September 2013, but this didn't make it into a release until 0.9 in March 2014; Bitcoinj has done so for a similar span of time. Bitcoinjs and electrum have been more recently updated.

    This does not replace the need for BIP62 or similar, as miners can still cooperate to break transactions. Nor does it replace the need for wallet software to handle malleability sanely[1]. This only eliminates the cheap and irritating DOS attack.

    [1] On the Malleability of Bitcoin Transactions Marcin Andrychowicz, Stefan Dziembowski, Daniel Malinowski, Łukasz Mazurek http://fc15.ifca.ai/preproceedings/bitcoin/paper_9.pdf

  2. Test LowS in standardness, removes nuisance malleability vector.
    This adds SCRIPT_VERIFY_LOW_S to STANDARD_SCRIPT_VERIFY_FLAGS which
 will make the node require the canonical 'low-s' encoding for
 ECDSA signatures when relaying or mining.

Consensus behavior is unchanged.

The rational is explained in a81cd96805ce6b65cca3a40ebbd3b2eb428abb7b:
 Absent this kind of test ECDSA is not a strong signature as given
 a valid signature {r, s} both that value and {r, -s mod n} are valid.
 These two encodings have different hashes allowing third parties a
 vector to change users txids.  These attacks are avoided by picking
 a particular form as canonical and rejecting the other form(s); in
 the of the LOW_S rule, the smaller of the two possible S values is
 used.

If widely deployed this change would eliminate the last remaining
 known vector for nuisance malleability on boring SIGHASH_ALL
 p2pkh transactions.  On the down-side it will block most
 transactions made by sufficiently out of date software.

Unlike the other avenues to change txids on boring transactions this
 one was randomly violated by all deployed bitcoin software prior to
 its discovery.  So, while other malleability vectors where made
 non-standard as soon as they were discovered, this one has remained
 permitted.  Even BIP62 did not propose applying this rule to
 old version transactions, but conforming implementations have become
 much more common since BIP62 was initially written.

Bitcoin Core has produced compatible signatures since a28fb70e in
 September 2013, but this didn't make it into a release until 0.9
 in March 2014; Bitcoinj has done so for a similar span of time.
 Bitcoinjs and electrum have been more recently updated.

This does not replace the need for BIP62 or similar, as miners can
 still cooperate to break transactions.  Nor does it replace the
 need for wallet software to handle malleability sanely[1]. This
 only eliminates the cheap and irritating DOS attack.

[1] On the Malleability of Bitcoin Transactions
Marcin Andrychowicz, Stefan Dziembowski, Daniel Malinowski, Łukasz Mazurek
http://fc15.ifca.ai/preproceedings/bitcoin/paper_9.pdf
    b196b685c9
  3. gmaxwell added the label TX fees and policy on Oct 6, 2015
  4. gmaxwell commented at 3:54 AM on October 6, 2015: contributor

    For discussion.

    Recent measurements have suggested that somewhere between 85-95% of all transactions are already conforming. I've subsequently gone around and caused several parties (like electrum) to update their behavior.

    This could also be coupled with a change that automatically 'fixes' failing transactions by mutating them instead of causing them to be be rejected completely (I understand code for this already exists, but isn't public)-- a prospect which is much less unappealing now that malleability attacks are already going on. However, if LowS becomes even more widespread quickly this change alone may be enough.

    If anyone wants to do some sleuthing on which software is still producing HighS signatures, here is a list of addresses recently (but before the recent spate of attacks) involved in a HighS signature: https://people.xiph.org/~greg/high-s-reusecnt.log ...

  5. pstratem commented at 4:00 AM on October 6, 2015: contributor

    ACK

  6. TheBlueMatt commented at 5:11 AM on October 6, 2015: member

    I had thought we had switched this on years ago, tbh, and was only corrected a month or so ago. At some point you just have to turn it on given that clients will never otherwise be conformant. Concept ACK.

    On October 5, 2015 9:00:23 PM PDT, Patrick Strateman notifications@github.com wrote:

    ACK

    Reply to this email directly or view it on GitHub: #6769 (comment)

  7. btcdrak commented at 7:06 AM on October 6, 2015: contributor

    ACK

  8. paveljanik commented at 7:07 AM on October 6, 2015: contributor

    ACK

  9. laanwj commented at 7:16 AM on October 6, 2015: member

    utACK

  10. btcdrak commented at 7:17 AM on October 6, 2015: contributor

    should also be backported imo

  11. gmaxwell commented at 7:20 AM on October 6, 2015: contributor

    @btcdrak trivial, of course, though I wonder if we should also backport lowS production to 0.8, I'm kind of disappointed that we didn't previously.

  12. dcousens commented at 7:27 AM on October 6, 2015: contributor

    concept ACK, utACK

    I wonder if we should also backport lowS production to 0.8

    What percentage of nodes are 0.8?

  13. laanwj commented at 7:32 AM on October 6, 2015: member

    Backporting to 0.10/0.11 is trivial as it already has the SCRIPT_VERIFY_LOW_S flag <=0.9, if still relevant, will also need IsLowDERSignature etc.

  14. dexX7 commented at 8:57 AM on October 6, 2015: contributor

    ACK, but should be announced with instructions for non-compliant wallets and users whose transactions may be rejected. (but this doesn't seem strictly related the actual PR)

  15. petertodd commented at 11:37 AM on October 6, 2015: contributor

    utACK

    This could also be coupled with a change that automatically 'fixes' failing transactions by mutating them instead of causing them to be be rejected completely

    As that's non-consensus code, I think I'd be willing to ACK such a change in principle. Though I'd want the code to be fairly self-contained, and of course, configurable via CLI switch.

  16. dcousens commented at 9:01 PM on October 6, 2015: contributor

    This could also be coupled with a change that automatically 'fixes' failing transactions by mutating them instead of causing them to be be rejected completely

    This would also have the behaviour of acting as a nuisance malleability attack on incompatible wallets, but I guess that is better than not being relayed.

  17. NicolasDorier commented at 7:15 AM on October 7, 2015: contributor

    NBitcoin is also producing sigs with LowS, we just updated the STANDARD flags to include LowS for transaction verification.

  18. tulip0 commented at 7:28 AM on October 7, 2015: none

    In an observation bracket between height 376000 and 376500 more than 95% of transactions pass the BIP62 stated low-s requirement. This count only includes transactions where every vin is a standard P2SH scriptPubKey, a type which would be made effectively immutable by this modification.

    early-window

    More recent blocks as of the time of writing are affected heavily by mutated signatures, with very large portions of some blocks (60%) containing transactions that have at least one high-s signature.

    later-window

    Historically we see only a few abnormalities per block, some earlier spikes of unknown origin and more recently most recently due to well publicized mutated signatures .

    historical-defect-rate

    non-canonical-addresses-sorted.txt contains a sample of P2PKH addresses involved in non-mutated transactions where at least one signature violated low-s. This may be useful in identifying services which need to make upgrades to their wallet software in order to produce compliant signatures.

  19. laanwj commented at 8:53 AM on October 7, 2015: member

    ACK, but should be announced with instructions for non-compliant wallets and users whose transactions may be rejected. (but this doesn't seem strictly related the actual PR)

    Should definitely be in the release notes, also for the backport minor releases. But yes no need to have it hold up this PR.

  20. laanwj merged this on Oct 7, 2015
  21. laanwj closed this on Oct 7, 2015
  22. laanwj referenced this in commit 49dd5c629d on Oct 7, 2015
  23. gmaxwell referenced this in commit b1d76af0ea on Oct 7, 2015
  24. gmaxwell referenced this in commit 1cea6b0dee on Oct 7, 2015
  25. gmaxwell referenced this in commit 71cc9d9fe8 on Oct 7, 2015
  26. laanwj commented at 9:33 AM on October 7, 2015: member

    Backported to 0.10 as 1cea6b0dee0b0f10d5f41433e27c70213a4c531f, and to 0.11 as 71cc9d9fe829efd9c9b012c4cd1ece1d988b4869

    Probably we should do a new release on both branches soon.

  27. NicolasDorier commented at 9:34 AM on October 10, 2015: contributor

    Is there any discussion about making Bitcoin Core malleate HighS sigs to LowS instead of just not relaying them ?

  28. btcdrak commented at 9:42 AM on October 10, 2015: contributor

    @NicolasDorier I believe some miners are planning on doing this.

  29. TheBlueMatt commented at 11:58 PM on October 11, 2015: member

    @NicolasDorier There seems to be some agreement that its best to not do that by default, but instead to do that temporarily by having devs and miners run a patch to do that on the network first, then slowly transition to making high-S entirely non-standard over time.

  30. rubensayshi commented at 9:44 AM on October 21, 2015: contributor

    would this ever become part of consensus or is it more likely that we'll move torwards the suggested normalized transaction ID ?

  31. MarcoFalke referenced this in commit 3924b6b8f4 on Mar 26, 2016
  32. reddink referenced this in commit 7417a89fc9 on May 27, 2020
  33. furszy referenced this in commit 0604a98bd0 on Jul 31, 2020
  34. DrahtBot locked this on Sep 8, 2021
Contributors
gmaxwellpstratemTheBlueMattbtcdrakpaveljaniklaanwjdcousensdexX7petertoddNicolasDoriertulip0rubensayshi
Labels
TX fees and policy
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-17 09:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me