From b44d5c95311c017c0829f1febc9c2c44a620085b Mon Sep 17 00:00:00 2001 From: Orfeas Litos Date: Tue, 26 Nov 2019 12:43:34 +0000 Subject: [PATCH 1/2] Mention hash_type malleability would change wtxid --- bip-taproot.mediawiki | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bip-taproot.mediawiki b/bip-taproot.mediawiki index 11197855..cffbfbb2 100644 --- a/bip-taproot.mediawiki +++ b/bip-taproot.mediawiki @@ -93,7 +93,7 @@ The following rules apply: * If the signature is not 64'''Why permit two signature lengths?''' By making the most common type of hash_type implicit, a byte can often be saved. or 65 bytes, fail. * If the signature size is 65 bytes: ** If the final byte is not a valid hash_type (defined hereinafter), fail. -** If the final byte is 0x00, fail'''Why can the hash_type not be 0x00 in 65-byte signatures?''' Permitting that would enable malleating 64-byte signatures into 65-byte ones, resulting a different fee rate than the creator intended. +** If the final byte is 0x00, fail'''Why can the hash_type not be 0x00 in 65-byte signatures?''' Permitting that would enable malleating 64-byte signatures into 65-byte ones, resulting in a different `wtxid` and a different fee rate than the creator intended. ** If the first 64 bytes are not a valid signature according to bip-schnorr for the public key and message set to the transaction digest with hash_type set as the final byte, fail. * If the signature size is 64 bytes: ** If it is not a valid signature according to bip-schnorr for the public key and the hash_type = 0x00 transaction digest as message, fail. From 2e79be9f72cf3253bbfe4cb362287079c1af1429 Mon Sep 17 00:00:00 2001 From: Orfeas Stefanos Thyfronitis Litos Date: Tue, 26 Nov 2019 15:30:12 +0000 Subject: [PATCH 2/2] Mention that miners could malleate signatures --- bip-taproot.mediawiki | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bip-taproot.mediawiki b/bip-taproot.mediawiki index cffbfbb2..1b9f831a 100644 --- a/bip-taproot.mediawiki +++ b/bip-taproot.mediawiki @@ -93,7 +93,7 @@ The following rules apply: * If the signature is not 64'''Why permit two signature lengths?''' By making the most common type of hash_type implicit, a byte can often be saved. or 65 bytes, fail. * If the signature size is 65 bytes: ** If the final byte is not a valid hash_type (defined hereinafter), fail. -** If the final byte is 0x00, fail'''Why can the hash_type not be 0x00 in 65-byte signatures?''' Permitting that would enable malleating 64-byte signatures into 65-byte ones, resulting in a different `wtxid` and a different fee rate than the creator intended. +** If the final byte is 0x00, fail'''Why can the hash_type not be 0x00 in 65-byte signatures?''' Permitting that would enable malleating (by third parties, including miners) 64-byte signatures into 65-byte ones, resulting in a different `wtxid` and a different fee rate than the creator intended. ** If the first 64 bytes are not a valid signature according to bip-schnorr for the public key and message set to the transaction digest with hash_type set as the final byte, fail. * If the signature size is 64 bytes: ** If it is not a valid signature according to bip-schnorr for the public key and the hash_type = 0x00 transaction digest as message, fail.