📅 Original date posted:2015-06-14
📝 Original message:Gregory Maxwell <gmaxwell at gmail.com> writes:
> I'm not a great fan of this proposal for two reasons: The first is
> that the strict ordering requirements is incompatible with future
> soft-forks that may expose additional ordering constraints. Today we
> have _SINGLE, which as noted this interacts with poorly, but there
> have been other constraints proposed that this would also interact
> with poorly.
Yes, I hit this when I implemented an IsStandard change; upon input
evaluation the scriptsigs which used _SINGLE get disregarded from
ordering.
> The second is that even absent consensus rules there may be invisible
> constraints in systems-- e.g. hardware wallets that sign top down,
I think that one's pretty easy to fix (and they should fix it anyway, to
avoid leaking information due to ordering): they can receive an
unordered tx and sign it as if it were ordered canonically.
> or
> future transaction covenants that have constraints about ordering, or
> proof systems that use (yuck) midstate compression for efficiency.
The softfork argument I find the most compelling, though it's tempting
to argue that every ordering use (including SIGHASH_SINGLE) is likely
a mistake.
> I think perhaps the motivations here are understated. We have not seen
> any massive deployments of accidentally broken ordering that I'm aware
> of-- and an implementation that got this wrong in a harmful way would
> likely make far more fatal mistakes (e.g. non random private keys).
I was prompted to propose something by this:
https://blog.blocktrail.com/2015/05/getting-your-change-in-order/
If that's the only one though, it's less compelling.
> As an alternative to this proposal the ordering can be privately
> derandomized in the same way DSA is, to avoid the need for an actual
> number source. If getting the randomness right were really the only
> motivation, I'd suggest we propose a simple derandomized randomization
> algorithm--- e.g. take the order from (H(input ids||client secret)).
>
> I think there is actually an unstated motivation also driving this
> (and the other) proposal related to collaborative transaction systems
> like coinjoins or micropayment channels; where multiple clients need
> to agree on the same ordering. Is this the case? If so we should
> probably talk through some of the requirements there and see if there
> isn't a better way to address it.
Indeed. I was implementing deterministic permutations for lightning
(signature exchange requires both sides agree on ordering).
Cheers,
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-07 17:36:43
in reply to nevent1q…4yl3
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-07 17:36:43Event JSON
{
"id": "50c8e2f26f6b6c1752e3feb08a30fdf24b3325f08bd6e6bb9e8e0cb62a497889",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686152203,
"kind": 1,
"tags": [
[
"e",
"981f41da2a008fa33b1384e8dd3f0d4a96b7f3bed5c463f00f9032a495226e9c",
"",
"root"
],
[
"e",
"f01f6cf7a51e8ad74fad08052c8fe7d1a3034a143dbe01f163f918e3d83d6ec0",
"",
"reply"
],
[
"p",
"4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73"
]
],
"content": "📅 Original date posted:2015-06-14\n📝 Original message:Gregory Maxwell \u003cgmaxwell at gmail.com\u003e writes:\n\u003e I'm not a great fan of this proposal for two reasons: The first is\n\u003e that the strict ordering requirements is incompatible with future\n\u003e soft-forks that may expose additional ordering constraints. Today we\n\u003e have _SINGLE, which as noted this interacts with poorly, but there\n\u003e have been other constraints proposed that this would also interact\n\u003e with poorly.\n\nYes, I hit this when I implemented an IsStandard change; upon input\nevaluation the scriptsigs which used _SINGLE get disregarded from\nordering. \n\n\u003e The second is that even absent consensus rules there may be invisible\n\u003e constraints in systems-- e.g. hardware wallets that sign top down,\n\nI think that one's pretty easy to fix (and they should fix it anyway, to\navoid leaking information due to ordering): they can receive an\nunordered tx and sign it as if it were ordered canonically.\n\n\u003e or\n\u003e future transaction covenants that have constraints about ordering, or\n\u003e proof systems that use (yuck) midstate compression for efficiency.\n\nThe softfork argument I find the most compelling, though it's tempting\nto argue that every ordering use (including SIGHASH_SINGLE) is likely\na mistake.\n\n\u003e I think perhaps the motivations here are understated. We have not seen\n\u003e any massive deployments of accidentally broken ordering that I'm aware\n\u003e of-- and an implementation that got this wrong in a harmful way would\n\u003e likely make far more fatal mistakes (e.g. non random private keys).\n\nI was prompted to propose something by this:\n\nhttps://blog.blocktrail.com/2015/05/getting-your-change-in-order/\n\nIf that's the only one though, it's less compelling.\n\n\u003e As an alternative to this proposal the ordering can be privately\n\u003e derandomized in the same way DSA is, to avoid the need for an actual\n\u003e number source. If getting the randomness right were really the only\n\u003e motivation, I'd suggest we propose a simple derandomized randomization\n\u003e algorithm--- e.g. take the order from (H(input ids||client secret)).\n\u003e\n\u003e I think there is actually an unstated motivation also driving this\n\u003e (and the other) proposal related to collaborative transaction systems\n\u003e like coinjoins or micropayment channels; where multiple clients need\n\u003e to agree on the same ordering. Is this the case? If so we should\n\u003e probably talk through some of the requirements there and see if there\n\u003e isn't a better way to address it.\n\nIndeed. I was implementing deterministic permutations for lightning\n(signature exchange requires both sides agree on ordering).\n\nCheers,\nRusty.",
"sig": "a215da62225d249b5f1164052eb328aba27da6edebf854f270d510a8c7225017769175658ed37b43f9e828020ef92f05a9036ece77d2607b22112070d4864be6"
}