Bitcoin Forum
July 06, 2024, 10:17:01 PM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Bitcoin > Bitcoin Discussion > Help me look for sites/software that produces non-standard signatures
Pages: [1]
« previous topic next topic »
  Print  
Author Topic: Help me look for sites/software that produces non-standard signatures  (Read 1657 times)
Pieter Wuille (OP)
Legendary
*
Offline Offline

Activity: 1072
Merit: 1178


View Profile WWW
December 26, 2012, 07:19:59 PM
Last edit: December 26, 2012, 10:11:22 PM by Pieter Wuille
 #1
Hello everyone,

since it was discovered that Bitcoin accepts transactions whose signatures are not formatted entirely according to the DER standard, we've been wanting to fix this, by making the rules somewhat more strict (this would make it easier for new implementations for example, as they now have to mimic exactly what OpenSSL does, in case they use a different crypto library).

This is however hard to just change, as there is apparently still software out there that (probably unknowingly) violates the strict specification "as it worked anyway". Some time ago we already identified some "offenders", and the frequency of non-DER signatures dropped significantly since then. In the past few days, only 0.2%-0.5%. Still, I'd like to see this drop closer to zero before releasing software that doesn't relay it anymore. (Note: in time, this may become a network rule, but in this first stage the question is just whether to relay them or not - blocks with such transactions remain valid).

Here is a full list of all offending transactions the past 4 days. If can help identify their source, perhaps we can make the percentage drop further.

EDIT: here is a page with addresses from which non-standard transactions have originated.

Transactions with (at least) a signature with an "excessively padded R value":
Transactions with (at least) an "excessively padded S value":
Transaction with (at least) a "negative R value":
Transactions with (at least) a "negative S value":
Thanks!
I do Bitcoin stuff.
gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 4200
Merit: 8443



View Profile WWW
December 26, 2012, 07:59:54 PM
Last edit: December 26, 2012, 10:08:34 PM by gmaxwell
 #2
This is the prior output addresses of these transactions inputs— the owners of these addresses are the likely parties operating the software which creates these non-standard signatures is on this webpage. I moved it off the forum so you could easily see which links were already visited for you (the default forum color scheme gets in the way of that).

I also included google links so you can go searching deeper.  So far, people on IRC were able to identify TheButterZone as 1TBZYXjrGjXCEN1SprpF66Jzy5uN3GiLS.

Since people are missing it:
This link has addresses instead of txids.
Pieter Wuille (OP)
Legendary
*
Offline Offline

Activity: 1072
Merit: 1178


View Profile WWW
December 26, 2012, 10:12:35 PM
 #3
Added gmaxwell's link to the top post.
I do Bitcoin stuff.
TheButterZone
Legendary
*
Offline Offline

Activity: 3010
Merit: 1031


RIP Mommy


View Profile WWW
December 27, 2012, 08:27:35 AM
 #4
Quote from: gmaxwell on December 26, 2012, 07:59:54 PM
This is the prior output addresses of these transactions inputs— the owners of these addresses are the likely parties operating the software which creates these non-standard signatures is on this webpage. I moved it off the forum so you could easily see which links were already visited for you (the default forum color scheme gets in the way of that).

I also included google links so you can go searching deeper.  So far, people on IRC were able to identify TheButterZone as 1TBZYXjrGjXCEN1SprpF66Jzy5uN3GiLS.

I'm also 1TBZjmXho6mdGhoESaMV2svtqJXYtWfEp on here http://people.xiph.org/~greg/non-standard-signatures.html - this is also the address involved at https://bitcointalk.org/index.php?topic=133122.0 - but as that is just about random unexplained received TXs at that address, it's probably just a coincidence.

I send TXs for both these addresses with an Oct 1 2012 copy of brainwallet.org - and they're both vanities, found by http://silverthreadsoftware.com/bitcoin/vanity/VanityAddress.jar - discussion about the JAR here: https://bitcointalk.org/index.php?topic=76038.0

Trifecta?
Quote from: SaltySpitoon on February 21, 2018, 12:07:45 AM
Saying that you don't trust someone because of their behavior is completely valid.
Mike Hearn
Legendary
*
Offline Offline

Activity: 1526
Merit: 1129


View Profile
December 27, 2012, 04:01:59 PM
 #5
I suspect the negative R/S values can be generated by Android wallet users who are running on Froyo. This old version of Android is known to be unable to reliably calculate signatures due to a buggy BigInteger class. Andreas didn't want to cut off support for these users entirely as it still makes up a few percent of the Android userbase, so he implemented a hack whereby signatures are checked after generation, and if the signature doesn't verify it's generated again!

Unfortunately this leads to a problem. Preventing Bitcoin Wallet from being installed on Froyo is easy. But the existing users would still be creating bad signatures from time to time. It may be that we need to change bitcoinj to use r.abs() and s.abs() instead of r and s, even though that should have no effect on normal platforms.
gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 4200
Merit: 8443



View Profile WWW
December 28, 2012, 04:51:52 PM
 #6
I contacted several forum users who had used addresses in the list in their signatures.

I've received a couple responses:

1Pq7zKpZHLaT9yheWyHqQp8XUtvTmt7VTm - blockchain.info / iPad app
18ix3ikc51sKTwmfho5fjmfqe2miJBQR2c - blockchain.info / chrome (no code pinning/extension, I asked)
Mike Hearn
Legendary
*
Offline Offline

Activity: 1526
Merit: 1129


View Profile
December 29, 2012, 02:09:23 PM
 #7
I made a little Android app that generates random keys and signs random data in a loop, then ran it on a Froyo emulator. I couldn't make it spit out negative r/s values unfortunately. So perhaps my theory is incorrect.

It sounds like maybe bitcoinjs could do this:

https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/src/ecdsa.js

Unfortunately I don't see any way the results can be negative with that code either. I do see a minor difference between the Bouncy Castle implementation and ecdsa.js which is that Bouncy Castle will keep retrying the signing process until s is not zero, whereas ecdsa.js won't. Otherwise they look the same.

The serialization code in bitcoinjs looks OK too.

https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/src/ecdsa.js#L302
https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/src/util.js#L43

Other than a bug in the underlying platform math libraries or bogus serialization code, what explanations exist for negative r/s values? None of the underlying BigInteger operations can result in negative numbers.
Pages: [1]
  Print  
Bitcoin Forum > Bitcoin > Bitcoin Discussion > Help me look for sites/software that produces non-standard signatures
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!