AdLunam

The developer Bitcoin Gregory Maxwell writes the following On Reddit:

There is a design defect in the Bitcoin protocol where it is possible for a third party to take a valid transaction from yours and mutate it in a way that leaves it valid and functionally identical, but with a different transaction ID. This considerably complicates the drafting of the correct portfolio software, and it can be used abusive to invalidate long unconfirmed transaction channels which depend on the non -mutant transaction (since transactions refer to each other by TXID).

This question stems from several sources, one of them being the will of OpenSSL to accept and give meaning to signatures with invalid encodings. An ECDSA Normal Signature Code for two large integers, coding is not a constant length – if there are main zeros, you are supposed to drop them.

It is easy to write software which assumes that the signature will be a constant length, then to leave additional zeros.

This is a very interesting edifying story, and is particularly important because situations like these are part of the reason why we have made certain design decisions in our development philosophy. More specifically, the problem is as follows: many people continue to assert the point that we are in many places by unnecessarily reinvening the wheel, creating our own serialization format, RlpInstead of using the protobuf And we build a specific script language instead of “simply using Lua”. It is a very valid concern; Non -invented supply syndrome is a commonly used pejorativetherefore making such an internal development requires justification.

And the edifying history that I cited above precisely provides the perfect example of the justification that I will provide. External technologies, whether Protobuf, Lua or OpenSSL, are very good and have years of development behind them, but in many cases, they have never been designed with perfect consensus, determinism and cryptographic integrity in the spirit of which cryptocurrencies need. The OpenSl situation above is the perfect example; Aside from cryptocurrencies, there are really no other situations where you can take a valid signature and transform it into another valid signature with different hash is an important problem, and yet here, it’s fatal. One of our fundamental principles in Ethereum is simplicity; The protocol should be as simple as possible and the protocol should not contain any black box. Each characteristic of each sub-protein must be precisely documented 100% on white paper or wiki, and implemented using this as specification (i.e. development based on the test). This for an existing software package is undoubtedly almost as difficult as building a completely new package from zero; In fact, it can even be more difficult, because existing software packages often have more complexity than they need to be full of features, while our alternatives are not – read the Protobuf And compare it to Spectr To understand what I mean.

Note that the above principle has its limits. For example, we are certainly not stupid enough to start inventing our own hash algorithms, using the universally acclaimed and well venerated SHA3, and for signatures, we use the same old SECP256K1 as Bitcoin, although we use RLP to store the V, R, S Triple (the V is an additional pad for the end of the public key) Open Protocol stamp. These types of situations are those where “simply use x” is precisely the right thing to do, because X has a clean and well understood interface and there are no subtle differences between different implementations. The SHA3 of the empty chain is C5D2460186 … A470 in C ++, Python and JavaScript; There is no debate on this subject. Between these two extremes, it is essentially a question of finding the right balance.