Title: What exactly is malleable? Post by: Amitabh S on February 11, 2014, 04:11:06 PM Lets say we have inputs A, B and outputs X, Y.
Say we have a tx = (Sign_A((A, B), (X, Y)), Sign_B((A, B), (X, Y)), (A, B), (X, Y)) What exactly is malleable here? Please point me to the thread where this is explained. Title: Re: What exactly is malleable? Post by: TierNolan on February 11, 2014, 04:26:03 PM What exactly is malleable here? An unsigned transaction has none of the signatures included. The unsigned transaction is hashed, signed and the signatures are added. To check a transaction's signatures, you need to delete them from the transaction and then hash the result. You then check the signatures against that hash. Since the signatures themselves aren't actually signed, you can change them. One way to do that is to add zeros to the number. A signature of (1234, 5678) could be converted to (01234, 05678). You haven't change the two value but you have changed how they are encoded. This gives a different tx-id, but doesn't invalidate the signature. You can also negate one of the values without it having any effect. Title: Re: What exactly is malleable? Post by: Amitabh S on February 11, 2014, 04:27:17 PM oh so the signatures themselves are malleable... but that's a feature, not a bug.. ;D
Title: Re: What exactly is malleable? Post by: dexX7 on February 11, 2014, 05:22:02 PM oh so the signatures themselves are malleable... but that's a feature, not a bug.. ;D From: https://gist.github.com/sipa/8907691 Quote Several sources of malleability are known:
Title: Re: What exactly is malleable? Post by: thenoblebot on February 11, 2014, 05:23:03 PM Quote While transactions are signed, the signature does not currently cover all the data in a transaction that is hashed to create the transaction hash. Thus while uncommon it is possible for a node on the network to change a transaction you send in such a way that the hash is invalidated. So some of the non-essential data can sometimes be changed. And that is what leads to malleability of the transaction, even though it remains perfectly valid and will go to the exact address as intended. Relevant link : https://en.bitcoin.it/wiki/Transaction_Malleability (https://en.bitcoin.it/wiki/Transaction_Malleability) Title: Re: What exactly is malleable? Post by: cr1776 on February 11, 2014, 06:05:21 PM Quote While transactions are signed, the signature does not currently cover all the data in a transaction that is hashed to create the transaction hash. Thus while uncommon it is possible for a node on the network to change a transaction you send in such a way that the hash is invalidated. So some of the non-essential data can sometimes be changed. And that is what leads to malleability of the transaction, even though it remains perfectly valid and will go to the exact address as intended. Relevant link : https://en.bitcoin.it/wiki/Transaction_Malleability (https://en.bitcoin.it/wiki/Transaction_Malleability) It is like the post office (or someone else) stamping the outside of the envelope - it still gets there [well, that is debatable!], but the envelope isn't identical to the way it was when you placed it in the mailbox. Title: Re: What exactly is malleable? Post by: thenoblebot on February 11, 2014, 06:35:59 PM It is like the post office (or someone else) stamping the outside of the envelope - it still gets there [well, that is debatable!], but the envelope isn't identical to the way it was when you placed it in the mailbox. Haha yea thats a nice way to put it. Simple and clean cr1776. So the debatable part - it has to do with rebroadcasting the original (or maybe modified again) transaction which might get accepted instead of the modified one. Dam I hope I didn't confuse them again after your clean analogy. ;D Title: Re: What exactly is malleable? Post by: tvbcof on February 11, 2014, 06:46:27 PM oh so the signatures themselves are malleable... but that's a feature, not a bug.. ;D It seems to me that the end result here is that in order to use the globally distributed and persistent blockchain safely, one needs to take the tx-id off the confirmed blockchain. This means planning one's transactions with some deliberation and rate limiting as well as analyzing the blockchain carefully (leading one to wish to have it on-hand.) I personally would consider this a feature. If Satoshi(s) did as well, and especially if he/they anticipated a window for significant growth and interest in the solution before the issue became abused, he's a bigger fuckin genius than I thought! |