Published on: 2016-09-02T08:28:14+00:00
BIP146 proposes changes to the Bitcoin transaction validity rules in order to address signature malleability related to ECDSA signature encoding. This malleability allows relay nodes on the network to alter signatures without needing access to private keys. The BIP introduces two new rules: LOW_S and NULLFAIL. LOW_S restricts the S value inside ECDSA signatures to be at most half of the curve order, with strict DER encoding. If a signature fails the Low S value check and is not an empty byte array, the entire script will evaluate to false immediately. NULLFAIL requires that if an OP_CHECKSIG returns a FALSE value, the relevant signature must be an empty byte array. If an OP_CHECKMULTISIG returns a FALSE value, all signatures passing to this OP_CHECKMULTISIG must be empty byte arrays. The NULLDUMMY rule has been removed from BIP146 and will become another softfork implemented along with segwit. This revision of BIP146 adds the newly implemented NULLFAIL rules which should cover all special cases. The LOW_S softfork may be deployed later due to some undocumented behavior discovered. However, NULLFAIL will be implemented as a policy rule in 0.13.1, but the softfork won't be deployed in 0.13.1.Recently, the BIP146 was updated to include NULLDUMMY as part of the softfork. The update can be found on the Github page of Bitcoin Improvement Proposals (BIPs). This trivial softfork aims to fix malleability related to the extra stack element consumed by CHECKMULTISIG(VERIFY). It is considered important as it prevents attackers from replacing the stack element with any value, which could have serious implications. The inclusion of NULLDUMMY in BIP146 addresses this issue and enhances the security of the cryptocurrency system. This update demonstrates the continuous improvement made to the Bitcoin protocol to enhance security and prevent malicious attacks.On August 16, 2016, there was a discussion between Luke Dashjr and Johnson Lau regarding the ECDSA verification process for signatures passed to operators like OP_CHECKSIG and OP_CHECKMULTISIG. These operators perform verifications on pubkey/signature pairs in reverse order from the top of the stack. If a signature fails the IsLowDERSignature check, it is not processed. However, there is ambiguity in the reference to "the IsLowDERSignature check" as it is not clearly defined. Dashjr points out that the IsLowDERSignature function in Bitcoin Core is not directly called, but he will clarify this.A new Bitcoin Improvement Proposal (BIP) has been proposed to make low S value signatures a consensus rule. The proposal aims to restrict signatures to using low S values to fix malleability issues. ECDSA signatures are malleable, but restricting the S value helps prevent invalidation by taking the negative of the number S. The BIP states that every signature passed to OP_CHECKSIG, OP_CHECKSIGVERIFY, OP_CHECKMULTISIG, or OP_CHECKMULTISIGVERIFY must use an S value between certain limits with strict DER encoding. The BIP will be deployed using version bits BIP9, likely in v0.13.1. The implementation for the reference client can be found on Github. This proposal also reduces transaction malleability, providing additional benefits to the Bitcoin system.
Updated on: 2023-08-01T18:53:25.651454+00:00