Author: Pieter Wuille 2012-10-20 17:55:43
Published on: 2012-10-20T17:55:43+00:00
OpenSSL, the encryption library used by almost every full Bitcoin node in existence accepts several encodings for the same public key or signature. However, it also accepts non-standard encodings that fail to conform to SEC and DER specifications by which they are defined. To make the Bitcoin network rules more well-defined and prevent "malleability attacks," Pieter proposed strict rules about what is acceptable and what is not. He submitted a pull request proposing specific rules for public keys and signatures that are followed by almost all clients already. Sergio Lerner recently discovered that one can take the secp256k1-field-size complement of the S value in the signature without invalidating it. The easiest solution to prevent this would be to require that the lowest bit of the S value is always even. This would require coordination as no client currently enforces this, but it is easy to implement.Malleability can be a problem because a malicious relayer can modify transactions in-transit without invalidating them. This does not cause any loss of coins, but a lot of wallet software would not deal gracefully with a modified version of their transactions that gets accepted into a block.
Updated on: 2023-05-19T15:54:36.039151+00:00