00:22:07thufir:Eliel: i think there are essentially 2^256 different valid ones, not just one
00:26:16sipa:for ECDSA, just one
00:27:27sipa:but read BIP62, there are many ways through which a transaction can br malleated that does not rely on ECDSA malleability
00:42:45hhogan420:i conco
00:43:27hhogan420:concur*, if anything the bullet point summary was a really important takeaway for understanding malleability 'vectors'
00:43:38hhogan420:(from BIP62)
02:39:30Sub|afk:Sub|afk is now known as SubCreative
03:10:15rusty:Hmm, would it ease enforcement of low-s-value normalized txs if bitcoin core flipped non-conformant signatures? A bit weird, of course, to normalize other peoples transactions...
03:11:04phantomcircuit:rusty, there's nodes that add null padding
03:11:04phantomcircuit:so why not
03:11:44rusty:phantomcircuit: null padding?
03:12:04sipa:rusty: i don't think it would help
03:12:24phantomcircuit:openssl didn't correctly enforce the DER minimum encoding rules until very recently
03:12:28sipa:enforcement is about being sure that no malleated form enters the blockchain
03:12:43sipa:phantomcircuit: it also did not intend to
03:12:50phantomcircuit:so you were free to add null padding since it was BER
03:13:05phantomcircuit:sipa, the function names indicate someone at some point intended to
03:13:14phantomcircuit:d2i and such
03:13:38sipa:well they have a fully fledger ber decoder
03:13:42rusty:sipa: sure, so you start with making them non-standard (but do the normalized step first), then later at some point soft-fork to make them invalid.
03:13:55phantomcircuit:(btw they didn't fix the actual decoder, they merely do a decode/encode/compare)
03:14:11phantomcircuit:sipa, sure but that is a super set of a der decoder
03:14:26sipa:rusty: that would hurt wallets more than just making it opt-in
03:15:07sipa:phantomcircuit: if the intention was not supporting full ber, they could have used 10 times less code
03:15:26phantomcircuit:to be fair i wouldn't suggest they actually fix the DER functions since it's such a mess of macros
03:15:48sipa:i am pretty sure that the intention was supporting full ber on decoding
03:16:06phantomcircuit:sipa, i was under the impression that DER is simply the minimal encoding of BER
03:16:16phantomcircuit:is that wrong?
03:16:19rusty:sipa: by making it opt-in, you're suggesting some kind of "normalized-only" sighash flag?
03:16:31sipa:rusty: i am suggesting bip 62 :)
03:17:09sipa:normalizing sighashes is not avoiding malleability... it is making malleability harmless
03:17:44sipa:bip 62 provides an opt-in way to have consensus rule enforce a single encoding of a transaction
03:18:03sipa:but bip62 does not protect against a sender re-signing
03:19:57rusty:sipa: Thanks, I missed that nuance when I read "but it cannot be enforced in the network currently because it would break existing wallets." from gmaxwell in earlier logs.
03:20:25phantomcircuit:sipa, so it looks like DER is strictly a subset of BER with a bunch of encoding constraints intended to maintain 1:1 value:encoding mapping
03:21:16sipa:D = distinguished
03:21:48phantomcircuit:so what
03:22:06phantomcircuit:someone implemented BER because they didn't understand the purpose of DER?
03:22:26phantomcircuit:the decoding function names seem to indicate they intended them to use DER at some point
03:22:28sipa:i am pretty sure that the intention was supporting full ber
03:22:50phantomcircuit:that's mad
03:23:02sipa:even if the standard says using der
03:23:24sipa:one would want to support more than strictly necessary on input
03:23:43sipa:that was fashionable at some point
03:23:58sipa:be strict on output, not strict on input
03:24:20rusty:sipa: a-la Postel
03:24:41phantomcircuit:sipa, ichy
03:24:54sipa:* sipa scratches
03:25:02phantomcircuit:ichy not itchy...
03:25:13phantomcircuit:i can see that in non security things
03:25:25sipa:but even then
03:25:40sipa:it makes behaviour unpredictable
03:26:59phantomcircuit:sipa, sure but for example a date field on some website accepting 2015-03-13 and 03/13/15
03:27:07phantomcircuit:seems reasonable (note not 03/03/15 ...)
03:27:40phantomcircuit:ok so maybe bad example...
03:28:46sipa:even for unix tools etc
03:29:11sipa:it results in differences between different platforms/implementation
03:29:48sipa:at least for DER it was well defined what the "correct" subset was supposed to be
03:30:12sipa:but how many people here have actually read the DER standard? :)
03:31:19rusty:sipa: using DER/BER was weird in the first place though. Two 32-byte integers would have been simpler and more optimal.
03:31:30thufir:why not just serialize the numbers as straight forward as possible? why use their purposely convoluted standards?
03:31:35thufir:heh, exactly!
03:32:09sipa:thufir: ask satoshi
03:32:25sipa:i don't think anyone disagrees with this
03:32:40sipa:but change is ridiculously hard
03:32:41thufir:ok, i'll get around to it ;)
03:32:54thufir:yea, true. so that is the answer then, hehe
03:33:49phantomcircuit:rusty, there is virtually zero documentation on what the openssl signature structure is
03:34:14sipa:the code is self-documenting!
03:34:17phantomcircuit:(like 90% of openssl)
03:34:22thufir:my purposed DER replacement: http://pastebin.com/VvzyRTPB
03:34:52phantomcircuit:sipa, yeah like how the d2i functions are defined by macros at compile time and are roughly impossible to find
03:34:58sipa:thufir: we're not using rsa
03:35:16thufir:yes of course, adapt it. mostly a joke on how silly it is to use der/whatever.
03:35:38sipa:oh, sure, fully agree there
03:38:47thufir:you know, i looked at implementing either TLS or SSH-TRANSPORT in my project. I went with SSH because it took me a couple weeks to do it from scratch from RFCs. Looking at TLS, it would take me a year, and most of that would be implementing the crazy encoding of the certificates. that is practically a turing complete language onto itself. complication is bad, i think put there on purpose. more surface area for bugs.
03:40:54thufir:ie, the biggest surface area of attack in my opinion on TLS is the encoding of the certs. encoding. so change is hard, but, keep that in mind is all.
03:43:06thufir:not saying at all satoshi did. he was pragmatic and chose what tools were available to get 'er done.
03:51:20phantomcircuit:thufir, SSH-TRANSPORT being the ssh protocol itself or some sort of transit over ssh using the openbsd ssh-client ?
03:51:32phantomcircuit:i wouldn't suggest reimplementing ssh either...
03:52:23thufir:in the rfcs its broken up into SSH-AUTH, SSH-TRANSPORT, and SSH-CONNECT, essentially the SSH auth, encryption, integrety, and multiplexing
03:53:01thufir:basically the best damn p2p protocol now thanks to python asyncio and my python asyncio ssh implementation.
03:53:48thufir:i needed a high performance encrypted p2p library. i didn't want to 'invent it myself' and fail at security, so i followed the rfcs. its cool because i can ssh into my program with openssh :)
03:54:59thufir:i would have used paraminko, but as I said, i needed a high perf one, so async io. twisted is twisted, so yea :)
03:55:36thufir:i'll release it lgpl in a few weeks along with my gpl program
20:59:30tepper.freenode.net:topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
20:59:30tepper.freenode.net:Users on #bitcoin-wizards: andy-logbot lclc wallet42 dEBRUYNE jtimon justanotheruser jhogan42 Burrito c-cex-yuriy nsh belcher crowleyman shesek Quanttek NewLiberty mengine nuke_ hhogan420 HostFat spinza nivah fanquake1 pollux-bts koshii xapp GAit waxwing Relos arubi_ rustyn bsm117532 Mably Kwelstr MoALTz Cornholio b_lumenkraft hktud0 priidu forrestv Krellan cfields_ wump mappum richardu1 btc___ jbenet NeatBasisW dasource btcdrak Crowley2k TheSeven unlord_ airbreather
20:59:30tepper.freenode.net:Users on #bitcoin-wizards: SubCreative Starduster Dr-G2 CodeShark d1ggy satwo PRab dardasaba bosma yorick x98gvyn jgarzik aakselrod Pan0ram1x c0rw1n ebfull amiller mkarrer_ Tiraspol DougieBot5000 cluckj Iriez tjader antgreen` vdo cornusammonis luigi1111w melvster binaryatrocity_ sadoshi bliljerk101 grandmaster omni_ jonasschnelli PaulCapestany Emcy merlincorey gielbier maaku [ace] eric a5m0 nephyrin null_radix crescendo Sqt Madars mikolalysenko LeMiner cdecker sturles
20:59:30tepper.freenode.net:Users on #bitcoin-wizards: prodatalab adams_ GreenIsMyPepper harrow vonzipper berndj Zouppen Xzibit17 manan19 comboy sneak realcr gmaxwell jaromil catlasshrugged_ Apocalyptic harrigan Cory cryptowest_ runeks__ kanzure kefkius throughnothing STRML michagogo null sl01 lnovy [d__d] catcow Muis coryfields_ kinlo gwillen nickler Alanius sdaftuar epscy Taek Oizopower leakypat CryptOprah davout brand0 @ChanServ azariah MRL-Relay BrainOverfl0w so phedny warptangent pigeons
20:59:30tepper.freenode.net:Users on #bitcoin-wizards: espes__ afdudley stonecoldpat Fistful_of_Coins roasbeef_ heath bedeho BananaLotus guruvan morcos dansmith_btc cursive Meeh fluffypony optimator livegnik s1w AdrianG dignork gavinandresen yoleaux nanotube isis luigi1111 lechuga_ EasyAt phantomcircuit Logicwax kyuupichan poggy iddo Anduck Adlai ajweiss wizkid057 fenn hguux___ mariorz TD-Linux warren BlueMatt midnightmagic huseby otoburb platinuum kumavis artifexd yrashk luny Luke-Jr HM dc17523be3
20:59:30tepper.freenode.net:Users on #bitcoin-wizards: lmacken Hunger- SwedFTP weex go1111111 dgenr8 starsoccer wiz d9b4bef9 tromp_ gnusha mr_burdell tromp gribble jessepollak ryan-c larraboj jcorgan petertodd Keefe K1773R indolering veox Eliel Graet
22:21:59spinza_:spinza_ is now known as spinza