BIP 0147: Difference between revisions
Adding landing page for bip-0147 |
Update BIP text with latest version from https://github.com/bitcoin/bips/blob/b5723035e23896d0/bip-0147.mediawiki |
||
Line 1: | Line 1: | ||
{{bip}} | {{bip}} | ||
{{BipMoved|bip-0147.mediawiki}} | |||
<pre> | <pre> | ||
Line 8: | Line 9: | ||
Comments-Summary: No comments yet. | Comments-Summary: No comments yet. | ||
Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0147 | Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0147 | ||
Status: | Status: Final | ||
Type: Standards Track | Type: Standards Track | ||
Created: 2016-09-02 | Created: 2016-09-02 | ||
Line 14: | Line 15: | ||
</pre> | </pre> | ||
==Abstract== | |||
This document specifies proposed changes to the Bitcoin transaction validity rules to fix a malleability vector in the extra stack element consumed by <code>OP_CHECKMULTISIG</code> and <code>OP_CHECKMULTISIGVERIFY</code>. | |||
==Motivation== | |||
Signature malleability refers to the ability of any relay node on the network to transform the signature in transactions, with no access to the relevant private keys required. For non-segregated witness transactions, signature malleability will change the <code>txid</code> and invalidate any unconfirmed child transactions. Although the <code>txid</code> of segregated witness ([https://github.com/bitcoin/bips/blob/master/bip-0141.mediawiki BIP141]) transactions is not third party malleable, this malleability vector will change the <code>wtxid</code> and may reduce the efficiency of compact block relay ([https://github.com/bitcoin/bips/blob/master/bip-0152.mediawiki BIP152]). | |||
A design flaw in <code>OP_CHECKMULTISIG</code> and <code>OP_CHECKMULTISIGVERIFY</code> causes them to consume an extra stack element ("dummy element") after signature validation. The dummy element is not inspected in any manner, and could be replaced by any value without invalidating the script. This document specifies a new rule to fix this signature malleability. | |||
==Specification== | |||
To fix the dummy element malleability, a new consensus rule ("<code>NULLDUMMY</code>") is deployed to require that the dummy element MUST be the empty byte array. Anything else makes the script evaluate to false immediately. The <code>NULLDUMMY</code> rule applies to <code>OP_CHECKMULTISIG</code> and <code>OP_CHECKMULTISIGVERIFY</code> in pre-segregated scripts, and also pay-to-witness-script-hash scripts described in BIP141. | |||
==Deployment== | |||
This BIP will be deployed by "version bits" [https://github.com/bitcoin/bips/blob/master/bip-0009.mediawiki BIP9] using the same parameters for BIP141 and BIP143, with the name "segwit" and using bit 1. | |||
For Bitcoin mainnet, the BIP9 starttime is midnight 15 November 2016 UTC (Epoch timestamp 1479168000) and BIP9 timeout is midnight 15 November 2017 UTC (Epoch timestamp 1510704000). | |||
For Bitcoin testnet, the BIP9 starttime is midnight 1 May 2016 UTC (Epoch timestamp 1462060800) and BIP9 timeout is midnight 1 May 2017 UTC (Epoch timestamp 1493596800). | |||
==Compatibility== | |||
The reference client has produced compatible signatures from the beginning, and the <code>NULLDUMMY</code> rule has been enforced as relay policy by the reference client since v0.10.0. There has been no transactions violating the requirement being added to the chain since at least August 2015. | |||
For all scriptPubKey types in actual use, non-compliant signatures can trivially be converted into compliant ones, so there is no loss of functionality by this requirement. Users MUST pay extra attention to this new rule when designing exotic scripts. | |||
==Implementation== | |||
An implementation for the reference client is available at https://github.com/bitcoin/bitcoin/pull/8636 | |||
==Acknowledgements== | |||
Peter Todd is the original author of NULLDUMMY. This document is extracted from the previous [https://github.com/bitcoin/bips/blob/master/bip-0062.mediawiki BIP62] proposal, which was composed by Pieter Wuille and had input from various people. | |||
==Copyright== | |||
This document is placed in the public domain. |
Latest revision as of 17:59, 24 September 2019
This page describes a BIP (Bitcoin Improvement Proposal). |
Please do not modify this page. This is a mirror of the BIP from the source Git repository here. |
BIP: 147 Layer: Consensus (soft fork) Title: Dealing with dummy stack element malleability Author: Johnson Lau <jl2012@xbt.hk> Comments-Summary: No comments yet. Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0147 Status: Final Type: Standards Track Created: 2016-09-02 License: PD
Abstract
This document specifies proposed changes to the Bitcoin transaction validity rules to fix a malleability vector in the extra stack element consumed by OP_CHECKMULTISIG
and OP_CHECKMULTISIGVERIFY
.
Motivation
Signature malleability refers to the ability of any relay node on the network to transform the signature in transactions, with no access to the relevant private keys required. For non-segregated witness transactions, signature malleability will change the txid
and invalidate any unconfirmed child transactions. Although the txid
of segregated witness (BIP141) transactions is not third party malleable, this malleability vector will change the wtxid
and may reduce the efficiency of compact block relay (BIP152).
A design flaw in OP_CHECKMULTISIG
and OP_CHECKMULTISIGVERIFY
causes them to consume an extra stack element ("dummy element") after signature validation. The dummy element is not inspected in any manner, and could be replaced by any value without invalidating the script. This document specifies a new rule to fix this signature malleability.
Specification
To fix the dummy element malleability, a new consensus rule ("NULLDUMMY
") is deployed to require that the dummy element MUST be the empty byte array. Anything else makes the script evaluate to false immediately. The NULLDUMMY
rule applies to OP_CHECKMULTISIG
and OP_CHECKMULTISIGVERIFY
in pre-segregated scripts, and also pay-to-witness-script-hash scripts described in BIP141.
Deployment
This BIP will be deployed by "version bits" BIP9 using the same parameters for BIP141 and BIP143, with the name "segwit" and using bit 1.
For Bitcoin mainnet, the BIP9 starttime is midnight 15 November 2016 UTC (Epoch timestamp 1479168000) and BIP9 timeout is midnight 15 November 2017 UTC (Epoch timestamp 1510704000).
For Bitcoin testnet, the BIP9 starttime is midnight 1 May 2016 UTC (Epoch timestamp 1462060800) and BIP9 timeout is midnight 1 May 2017 UTC (Epoch timestamp 1493596800).
Compatibility
The reference client has produced compatible signatures from the beginning, and the NULLDUMMY
rule has been enforced as relay policy by the reference client since v0.10.0. There has been no transactions violating the requirement being added to the chain since at least August 2015.
For all scriptPubKey types in actual use, non-compliant signatures can trivially be converted into compliant ones, so there is no loss of functionality by this requirement. Users MUST pay extra attention to this new rule when designing exotic scripts.
Implementation
An implementation for the reference client is available at https://github.com/bitcoin/bitcoin/pull/8636
Acknowledgements
Peter Todd is the original author of NULLDUMMY. This document is extracted from the previous BIP62 proposal, which was composed by Pieter Wuille and had input from various people.
Copyright
This document is placed in the public domain.