From: Kristov Atlas <kristovatlas.lists@gmail•com>
To: Gregory Maxwell <gmaxwell@gmail•com>
Cc: Bitcoin Dev <bitcoin-development@lists•sourceforge.net>
Subject: Re: [Bitcoin-development] [RFC] Canonical input and output ordering in transactions
Date: Mon, 15 Jun 2015 00:01:36 -0400 [thread overview]
Message-ID: <CAGH37S+674cAVC7=WvST_SPkXjfNkzbj7Y_me_M6C+ieHX6EAA@mail.gmail.com> (raw)
In-Reply-To: <CAAS2fgRgWZX_O_2O1bgdFd_04xVp5Lnpw4hf=v6RSTXmsbdzPQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2913 bytes --]
On Sun, Jun 14, 2015 at 7:02 PM, Gregory Maxwell <gmaxwell@gmail•com> wrote:
> I'm not a great fan of this proposal for two reasons: The first is
> that the strict ordering requirements is incompatible with future
> soft-forks that may expose additional ordering constraints. Today we
> have _SINGLE, which as noted this interacts with poorly, but there
> have been other constraints proposed that this would also interact
> with poorly.
>
I'm not clear on why this is a problem, so long as the canonical ordering
BIP is *optional*. Unless there is a specific plan to soft fork a change
that would break the BIP and it is fairly imminent, I see this only as a
reason not to integrate it into isStandard().
> The second is that even absent consensus rules there may be invisible
> constraints in systems-- e.g. hardware wallets that sign top down, or
> future transaction covenants that have constraints about ordering, or
> proof systems that use (yuck) midstate compression for efficiency. Right
> now, with random ordering these applications are fairly
> indistinguishable from other random uses (since their imposed order
> could come about by chance) but if everyone else was ordered, even if
> wasn't enforced.. these would be highly distinguishable. Which would
> be unfortunate.
Maybe they shouldn't be doing that. :-P
> I think perhaps the motivations here are understated. We have not seen
> any massive deployments of accidentally broken ordering that I'm aware
> of-- and an implementation that got this wrong in a harmful way would
> likely make far more fatal mistakes (e.g. non random private keys).
>
In my reading of various wallet client sources, it is common that wallet
clients will use cryptographically weak sources of randomness to sort
outputs -- that is, the ones that actually bother to randomly sort. I can
hunt down some examples if this would substantially contribute to the
discussion.
As an alternative to this proposal the ordering can be privately
> derandomized in the same way DSA is, to avoid the need for an actual
> number source. If getting the randomness right were really the only
> motivation, I'd suggest we propose a simple derandomized randomization
> algorithm--- e.g. take the order from (H(input ids||client secret)).
>
This sounds similar to an idea that Sergio pitched to me privately, which
was for wallets to have a private sorting key that they can use to sort
inputs and outputs. However, I suspect that adding yet another key which
will necessarily require special key rotation rules and maybe special
backup procedures will mean that this standard will not be widely adopted
any time soon. Ideally, I'd like to see someone write a different BIP with
the sorting key idea and let them compete in the wallet client market
rather than trying to anticipate what is best for all clients and
distilling two good ideas into one artificially.
-Kristov
[-- Attachment #2: Type: text/html, Size: 3860 bytes --]
next prev parent reply other threads:[~2015-06-15 4:01 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-06 4:42 Rusty Russell
2015-06-06 4:46 ` Mark Friedenbach
2015-06-06 6:44 ` Rusty Russell
2015-06-06 8:24 ` Wladimir J. van der Laan
2015-06-06 9:45 ` Mark Friedenbach
2015-06-08 21:25 ` Danny Thorpe
2015-06-08 21:36 ` Peter Todd
2015-06-14 23:04 ` Gregory Maxwell
2015-06-14 23:02 ` Gregory Maxwell
2015-06-15 2:29 ` Rusty Russell
2015-06-15 2:33 ` Gregory Maxwell
2015-06-15 2:47 ` Mark Friedenbach
2015-06-15 21:01 ` Rusty Russell
2015-06-16 7:10 ` Jorge Timón
2015-06-16 8:06 ` Rusty Russell
[not found] ` <CABm2gDpkwHvrsB8Dh-hsO6H9trcweEX9XGB5Jh5KLPsPY5Z1Sw@mail.gmail.com>
2015-06-21 7:27 ` [Bitcoin-development] Fwd: " Jorge Timón
2015-06-15 4:01 ` Kristov Atlas [this message]
2015-06-24 22:09 ` [bitcoin-dev] [Bitcoin-development] " Kristov Atlas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGH37S+674cAVC7=WvST_SPkXjfNkzbj7Y_me_M6C+ieHX6EAA@mail.gmail.com' \
--to=kristovatlas.lists@gmail$(echo .)com \
--cc=bitcoin-development@lists$(echo .)sourceforge.net \
--cc=gmaxwell@gmail$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox