Salvaging refund protocols from malleability attacks with P2SH

[belcher]

From what I can tell, bip65 is a better way to solve the problem in OP

https://github.com/bitcoin/bips/blob/master/bip-0065.mediawiki#Noninteractive_timelocked_refunds

It can be implemented with a softfork and also allows many other applications as well as timelocked refunds.

[jl777]

From what I can tell, bip65 is a better way to solve the problem in OP

https://github.com/bitcoin/bips/blob/master/bip-0065.mediawiki#Noninteractive_timelocked_refunds

It can be implemented with a softfork and also allows many other applications as well as timelocked refunds.

Of course this would be a great thing.

Still dont you feel that allowing ANYBODY to just mess with your txid a bit wrong? The real world analogy would be that ANYBODY at ANYTIME could theoretically just change the check # for a check that you send to someone.

Alice: "I sent you check #1234, didnt you get it?"
Bob: "No, but I did get check #7364 for the same amount from you. Are you sure you know what you are doing?"
Alice: "Of course, it was the malleability gremlin that just changed the checknumber. Dont worry, bitcoin is 100% secure"

James

[belcher]

From what I can tell, bip65 is a better way to solve the problem in OP

https://github.com/bitcoin/bips/blob/master/bip-0065.mediawiki#Noninteractive_timelocked_refunds

It can be implemented with a softfork and also allows many other applications as well as timelocked refunds.

Of course this would be a great thing.

Still dont you feel that allowing ANYBODY to just mess with your txid a bit wrong? The real world analogy would be that ANYBODY at ANYTIME could theoretically just change the check # for a check that you send to someone.

Alice: "I sent you check #1234, didnt you get it?"
Bob: "No, but I did get check #7364 for the same amount from you. Are you sure you know what you are doing?"
Alice: "Of course, it was the malleability gremlin that just changed the checknumber. Dont worry, bitcoin is 100% secure"

James

Well... yeah.

We'll just have to build our software to never rely on the txid unless its already been mined.

Alice and Bob shouldnt talk about txid but instead addresses or whatever comes after addresses in bip70.

[belcher]

I've been thinking about this a lot recently.

Since the last post, highS signatures have been made non-standard so they won't propagate on the p2p network. However this malleability can still be done by a miner and recently this happened.

Another way to deal with s-malleability is for Alice to mutate the transactions herself and require Bob to sign two transaction hashes. One for each of the highS and lowS versions. Then if the transaction gets mutated that way Alice can use the other signature to get her coins back.

Only problem is, for N inputs there are 2^N ways of mutating the transaction, so transactions with many inputs require a lot more data to be transferred between Alice and Bob.


(My earlier comments on this thread 18 month ago sound a bit ignorant hah, I get it now)

[belcher]

Waxwing, arubi and I were discussing this for coinswap. We think we came up with another method of malleability that could cause serious problems.

In my above post I only thought about highS/lowS malleability, but there is another way involving adding OP_NOP opcodes to the scriptSig. See here (click the </> symbol on the top right, the first input has OP_NOP added)

I think this is non-standard but valid on the bitcoin mainnet. Which means a miner could be either Alice or Carol in the coinswap protocol and then mine a malleated paying-in TX0 to hold the other party's money to ransom. Also a miner could do this to random transactions as a way of attacking the network.

There's basically an infinite number of ways to add opcodes to scriptSig, so we can't use the same trick as above of signing every possible backout transaction.

If there's no way to fix this then we can't safely do coinswap. One thing we need to check if whether this thing is really non-standard but valid.

[waxwing]

> There's basically an infinite number of ways to add opcodes to scriptSig, so we can't use the same trick as above of signing every possible backout transaction.

Further to this point, following up more feedback from arubi: non-push opcodes are not allowed in the scriptSig, but OP_NOP is allowed, as I understand it (please correct me if I'm wrong); if that's right, the issue is specifically related to the NOP opcodes, and extra data can be disallowed with OP_DEPTH (or does cleanstack cover that? only for standard?).

(Also logging any thoughts on this here: https://github.com/AdamISZ/CoinSwapCS/issues/25 ).