BIP53: Clarify implementation complexity and improve tx notation #2034
Conversation
|
cc: @Christewart |
murchandamus
added
Proposed BIP modification
Pending acceptance
This comment was marked as spam.
This comment was marked as spam.
Co-authored-by: Chris Stewart <stewart.chris1234@gmail.com>
hodlinator
force-pushed
the
2025/11/bip53/inversion_typo
branch
from
0798f68 to
cbaedf2
Compare
hodlinator
changed the title
bip-0053.mediawiki
Outdated
| Assume we have a valid Bitcoin block with 2 transactions in it that have transaction ids of T<sub>0</sub> and T<sub>1</sub>. | ||
| The Merkle root for this block is H(T<sub>0</sub>||T<sub>1</sub>). | ||
| A malicious user could find a 64-byte transaction T<sub>m</sub> that serializes to T<sub>0</sub>||T<sub>1</sub>. | ||
| Next that user relays the block containing the malicious T<sub>m</sub> rather than the | ||
| valid Bitcoin transactions that correspond with T<sub>0</sub> and T<sub>1</sub>. |
There was a problem hiding this comment.
(Sorry for deleting previous comment + reposting, trying to present my ideas better).
There may still be potential to spell things out a bit better? It was not immediately obvious to me that the attacker would:
- Grind valid transactions for Txid0 and Txid1 to make them deserialize successfully as Tm.
- Probably need to collude with a miner/pool to make sure the 2 valid transactions become siblings.
It's also confusing to use T0 to denote a transaction id and Tm to denote the bytes of a transaction.
Suggested change of notation:
@@ -38,11 +38,11 @@ This has been mitigated by Bitcoin Core's relay policy and the RPC interface sin
64-byte transactions introduce block malleability. Malicious peers can construct consensus valid and invalid 64-byte
transactions that have the same serialization as the concatenation of 2 hashes in the Merkle tree.
-Assume we have a valid Bitcoin block with 2 transactions in it that have transaction ids of T<sub>0</sub> and T<sub>1</sub>.
-The Merkle root for this block is H(T<sub>0</sub>||T<sub>1</sub>).
-A malicious user could find a 64-byte transaction T<sub>m</sub> that serializes to T<sub>0</sub>||T<sub>1</sub>.
+Assume we have a valid Bitcoin block with 2 transactions in it with Txid<sub>0</sub> and Txid<sub>1</sub>.
+The Merkle root for this block is H(Txid<sub>0</sub>||Txid<sub>1</sub>).
+A malicious user could find a 64-byte transaction T<sub>m</sub> that serializes to Txid<sub>0</sub>||Txid<sub>1</sub>.
Next that user relays the block containing the malicious T<sub>m</sub> rather than the
-valid Bitcoin transactions that correspond with T<sub>0</sub> and T<sub>1</sub>.
+valid Bitcoin transactions that correspond with Txid<sub>0</sub> and Txid<sub>1</sub>.
==== Block malleability with consensus INVALID transactions ====
Still leaves T0 notation in "Other peers on the network receive the valid block containing T0 and T1" further down.
Edit: Not sure why GitHub refuses to render the suggestion diff correctly, maybe HTML code (reverted back to use diff-block instead of suggestion-block).
The paper in /bip-0053/2-BitcoinMerkle.pdf helped deepen my understanding.
There was a problem hiding this comment.
The diff seems reasonable to me if you want to add it to this piece work.
Agree the paper is good at laying this out.
There was a problem hiding this comment.
nit in proposed text: s/correspond with/correspond to/
(use "correspond with" for communication with, and "correspond to" for when two things are similar, match, or are in agreement)
There was a problem hiding this comment.
Pushed second commit containing the notation change and correspond-typo.
hodlinator
changed the title
6 participants
Uh oh!
There was an error while loading. Please reload this page.