Title: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: Nicolas Dorier on October 10, 2015, 09:32:40 AM I think that modifying any incoming transaction with Bitcoin core to enforce LowS would be better than just blocking HighS.
I am even tempted to code a fake node who does exactly that. Do you think it would help ? Title: Re: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: achow101 on October 10, 2015, 03:48:53 PM I don't know if it would help, but someone already created a version of bitcoin core which malleates high s to low s.
convo in irc: http://bitcoinstats.com/irc/bitcoin-dev/logs/2015/10/08#l1444332212.0 github repo https://github.com/TheBlueMatt/bitcoin/tree/seed Title: Re: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: dexX7 on October 11, 2015, 02:23:35 PM I had the idea in the New transaction malleability attack wave? Another stresstest? (https://bitcointalk.org/index.php?topic=1198032.msg12611204#msg12611204) thread, and gmaxwell mentioned something similar in Bitcoin Core pull request #6769 (https://github.com/bitcoin/bitcoin/pull/6769) (not sure, if related). TheBlueMatt then created the patch (https://github.com/bitcoin/bitcoin/compare/master...TheBlueMatt:seed), so this is definitely already ongoing. :)
Mutating high S to low S and rejecting high S is complementary, and the active mutation serves two goals: - reducing the rate of actually rejected transactions (once the updated policy is deployed widely) - potentially flushing out implementations, which create non-canonical signatures (by checking, which users complain about mutations etc.) Title: Re: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: Nicolas Dorier on October 14, 2015, 05:16:15 PM For information I am running this program on my node :
Code: using NBitcoin; Let me know if anyone think it is better I stop it. Title: Re: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: mezzomix on October 15, 2015, 07:18:46 AM It's good enough if one node is modifying high S transactions to low S. There is no need to change the implementation for everyone.
Title: Re: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: BitcoinNewsMagazine on October 15, 2015, 10:55:37 AM New Bitcoin Core release 0.11.1 (https://bitcoin.org/en/release/v0.11.1) obviates the problem by mandating LowS.
Title: Re: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: Nicolas Dorier on October 15, 2015, 12:40:16 PM I'll keep my program running 1 or 2 weeks the time of miners to update. I'm not alone to do it, but it does not hurt.
Title: Re: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: Nicolas Dorier on October 15, 2015, 12:59:45 PM I am kind of surprised, very few transactions are LowS malleated. Nodes to which I connect always ask me to send the payload...
I thought I was not alone oO Or maybe the HighS already reached all the other node so the LowS version is always ignored... Title: Re: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: dexX7 on October 15, 2015, 01:51:14 PM New Bitcoin Core release 0.11.1 (https://bitcoin.org/en/release/v0.11.1) obviates the problem by mandating LowS. This is a very good thing, nevertheless, I'd consider high S -> low S mutation as complementary measure, because a) there are nodes out there, which don't use the new policy, b) and miners, and c) wallet implementations. Note that the policy rejects high S, which may result in legit transactions getting dropped, which is probably not a favorable outcome. I am kind of surprised, very few transactions are LowS malleated. Nodes to which I connect always ask me to send the payload... I thought I was not alone oO Or maybe the HighS already reached all the other node so the LowS version is always ignored... I'm running the "seed" branch, and I see many log entries indicating high S -> low S mutations from my node. Title: Re: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: Nicolas Dorier on October 15, 2015, 02:10:23 PM Quote I'm running the "seed" branch, and I see many log entries indicating high S -> low S mutations from my node. I was kind of surprised, because everytimes I send "inv" a transaction, no node seems to know it and all ask the payload. By the way, I can craft a special scriptPubKey to make mutator banned from network and get IP of people who mutate transactions to HighS, would it be useful ? does the malleability attack on right now ? Craft a redeem script "<DerHighS> OP_EQUALVERIFY", spend it. The mutator will create an invalid transaction which will ban him from the network. Now, you look in your banlist and collect the IP. Title: Re: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: amaclin on October 15, 2015, 04:07:10 PM I was kind of surprised, because everytimes I send "inv" a transaction, no node seems to know it and all ask the payload. You are the only person who modify transactions today. My bot is paused for a long time.Craft a redeem script "<DerHighS> OP_EQUALVERIFY", spend it. This is non-standard script. Your peers will ignore this tx. Miners should ignore it also even get this tx.Title: Re: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: Nicolas Dorier on October 15, 2015, 04:10:50 PM Craft a redeem script "<DerHighS> OP_EQUALVERIFY", spend it. This is non-standard script. Your peers will ignore it. Miners should ignore it also even get this tx.No, arbitrary redeem script are standard since 0.10. Title: Re: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: amaclin on October 15, 2015, 04:27:53 PM No, arbitrary redeem script are standard since 0.10. This is not true.Look to this transaction: https://blockchain.info/tx/6f1da8a16b067110be35690ca31dc6e483dcf908e83acfa44308bb03c70e3567 It has "arbitrary redeem script" (note: bc.i parses it incorrect) But it is non-standard and there is no miner today who can confirm it. Title: Re: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: Nicolas Dorier on October 15, 2015, 05:24:48 PM Quote (note: bc.i parses it incorrect) Yes, bc.i does not accept OP_RETURN either.Quote But it is non-standard and there is no miner today who can confirm it. Nop.Standard script rules relaxed for P2SH addresses (https://github.com/bitcoin/bitcoin/blob/047a89831760ff124740fe9f58411d57ee087078/doc/release-notes.md) Too lazy to find the exact commit though. :p Title: Re: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: Nicolas Dorier on October 15, 2015, 05:29:41 PM Also, the transaction you show me is not P2SH. The term "redeem script" always implies P2SH.
Title: Re: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: amaclin on October 15, 2015, 09:27:37 PM Also, the transaction you show me is not P2SH. The term "redeem script" always implies P2SH. Wat?Title: Re: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: Nicolas Dorier on October 16, 2015, 04:26:47 AM Redeem Script as described here. (https://github.com/bitcoin/bips/blob/master/bip-0016.mediawiki)
Title: Re: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: Nicolas Dorier on October 17, 2015, 12:28:11 PM For information, my node which is currently malleating HighS to LowS detects around 2 and 4% of HighS signatures.
Title: Re: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: amaclin on October 18, 2015, 11:08:40 AM Craft a redeem script "<DerHighS> OP_EQUALVERIFY", spend it. The mutator will create an invalid transaction which will ban him from the network. Now, you look in your banlist and collect the IP. For information, my node which is currently malleating HighS to LowS detects around 2 and 4% of HighS signatures. What if the inner p2sh (redeem) script is the OP_2DUP OP_EQUAL OP_IF OP_RETURN OP_ENDIF OP_2 <pubkey> <samepubkey> OP_2 OP_CHECKMULTISIG and the scriptSig is OP_0 <signature> <malledsignature> <redeemScript> Title: Re: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: dexX7 on October 18, 2015, 04:25:07 PM For information, my node which is currently malleating HighS to LowS detects around 2 and 4% of HighS signatures. I started to track the numbers earlier the day, and I currently see about 3.5 %. It would be interesting to know at which percentage the mutated transactions are mined. Did you gather some stats about this already? Recently, these are the mutations I've seen: http://bitwatch.co/uploads/mutations-2015-10-18.log (not 100 % online) Title: Re: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: Nicolas Dorier on October 20, 2015, 01:26:40 PM Craft a redeem script "<DerHighS> OP_EQUALVERIFY", spend it. The mutator will create an invalid transaction which will ban him from the network. Now, you look in your banlist and collect the IP. For information, my node which is currently malleating HighS to LowS detects around 2 and 4% of HighS signatures. What if the inner p2sh (redeem) script is the OP_2DUP OP_EQUAL OP_IF OP_RETURN OP_ENDIF OP_2 <pubkey> <samepubkey> OP_2 OP_CHECKMULTISIG and the scriptSig is OP_0 <signature> <malledsignature> <redeemScript> For information, my node which is currently malleating HighS to LowS detects around 2 and 4% of HighS signatures. I started to track the numbers earlier the day, and I currently see about 3.5 %. It would be interesting to know at which percentage the mutated transactions are mined. Did you gather some stats about this already? Recently, these are the mutations I've seen: http://bitwatch.co/uploads/mutations-2015-10-18.log (not 100 % online) I just ran again my mutator, the stat I gather is only the % of mutated and show it every 1000 tx. Boring stuff except when a bot go rampage and mutate 30% of them. Title: Re: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: amaclin on October 20, 2015, 01:37:22 PM It would kick my bot ! :D I think we have invented new game similar to https://en.wikipedia.org/wiki/Core_War ;DTitle: Re: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: dexX7 on November 11, 2015, 12:10:11 PM Just as quick update, the mutation rate over the last 1373396 transactions (about 8 days) for me was 0.9899 %.
Title: Re: Malleability counter attack : Malleate to LowS instead of dropping HighS Post by: Nicolas Dorier on November 12, 2015, 07:19:42 AM Just as quick update, the mutation rate over the last 1373396 transactions (about 8 days) for me was 0.9899 %. I know that coinprism (Open Asset, colored coin wallet) is using an old version of bitcoinjs which create HighS, but now they fix it on the backend to LowS. I don't think open asset account for a lot, but the malleability attack pushed services to update. |