Placeholder Image

字幕表 動画を再生する

  • The following content is provided under a Creative

  • Commons license.

  • Your support will help MIT OpenCourseWare

  • continue to offer high quality educational resources for free.

  • To make a donation or to view additional materials

  • from hundreds of MIT courses, visit MIT OpenCourseWare

  • at ocw.mit.edu.

  • PROFESSOR: Sorry.

  • I have a bit of a sore throat, hoarse voice.

  • I was talking a lot this weekend.

  • OK.

  • Also, today we're going to do transaction malleability,

  • segregated witness, and I'm endorsing

  • an ICO for the first time ever publicly,

  • and it's Anne's intermittent cookie offering.

  • So if you guys want cookies.

  • It's an airdrop and you just get them.

  • so it's my first ICO I'm endorsing.

  • OK.

  • So malleability.

  • So malleability is the ability to deform

  • under pressure formateer.

  • And so bitcoin is modeled off of gold, which

  • is the most malleable metal.

  • You can make gold leaf and stuff.

  • So clearly we need to design bitcoin to be malleable.

  • No, I'm joking.

  • OK.

  • Actually in the context of cryptography,

  • it's not super hard definition, but it

  • started with Cipher text, where if you can modify a Cipher

  • text and that modification will carry over into the plain text

  • when it's encrypted.

  • It also applies to sort of messages and signatures.

  • In our case, signatures can be malleable,

  • which means you can change the signature

  • and it's still a valid signature.

  • So given a signature S1 on message M1,

  • you modify the signature to S2 or S prime

  • and it still signs the same message.

  • It still validates as true.

  • So when we were defining signatures

  • this wasn't really an attack we'd considered.

  • There's still a signature and you can't forge a signature,

  • but you can dot an I or something

  • and the signature is slightly different.

  • You can't create one yourself, but given a valid signature

  • you can make a slightly different valid signature.

  • And that's how it works in the bitcoin signing algorithm.

  • But there's all sorts of different contexts

  • where malleability exists in cryptography.

  • And then part of it is things still

  • have to work for whatever definition.

  • So if you malleates a signature and it no longer validates,

  • well, that's sort of a trivial, like--

  • yeah, sure, you can do that to any bunch of bytes.

  • You can just flip some of them and the whole thing

  • doesn't work anymore.

  • That's easy.

  • But properties where it still works.

  • So this leads to some weird stuff in bitcoin

  • where you can change a transaction

  • and it's still valid.

  • And that's generally not what you want.

  • If you've got some kind of contract

  • or some kind of payment and you write a check,

  • you don't want someone to be able to modify the check

  • and still be able to cash it.

  • And I don't really use checks much, but they draw the line.

  • Like $100 and then they draw a line

  • so someone doesn't write and $0.99 or something after.

  • Not that that's like the greatest attack ever.

  • Or $100 and then someone puts like $1,000.

  • I don't know.

  • But it's sort of like that where someone

  • can change the thing you sign, can

  • change the thing you are agreeing to after the fact,

  • and it's still valid and it does something you don't expect.

  • OK.

  • So a review of the transaction format,

  • which should be probably in people's minds

  • if you were looking at the homework, the problem set.

  • And one thing to focus on is that the outputs

  • don't look like the inputs.

  • These are fundamentally different things.

  • The outputs specify a transaction ID and the inputs,

  • and then the outputs specify a script and an amount.

  • There's another 4 byte field here that doesn't matter.

  • So basically you're spending from a transaction and a sort

  • of row and you're spending too just this arbitrary pub key,

  • but you're not spending from a pub key

  • and you're not spending to a transaction.

  • You don't identify your transaction itself here.

  • Almost every website that shows blockchains is it

  • gets this wrong.

  • So if you look at like, I don't know,

  • blockchain.info is probably the most popular

  • and you just look at a transaction.

  • They don't have it anymore.

  • OK.

  • So you look at a block and then you look at a transaction

  • in the block.

  • We're going.

  • No.

  • No.

  • No, not yet.

  • There we go OK.

  • So you look at a transaction.

  • Yeah, it shows.

  • This address is sending to these two addresses.

  • And blockchain.info is particularly egregious

  • and that there may actually be more than one input and two

  • outputs in this transaction.

  • They hide change transactions.

  • So it looks like, hey, this address had some money in it

  • and it sent it to these two addresses.

  • And if I click, oh, where did this money come?

  • It come from 18eecz, and it shows

  • here's the bitcoin address, and, oh, it's

  • got multiple transactions this addresses has been involved in.

  • This is not how bitcoin works.

  • They are running their own database and sort

  • of making up this view of the network, which is incorrect.

  • Transactions don't send from an address,

  • they send from another transactions previous output.

  • And this is very confusing because in the case,

  • let's say in this transaction, there is a--

  • what is it?

  • 767 something.

  • So it says, yeah, it's coming from 18ee whatever,

  • and if I click on it I get three different transactions.

  • There is a specific transaction that 18ee

  • was involved in that is being spent from in this transaction.

  • I can look it up because I have an actual full node.

  • So if I say get raw transaction and I put it in here

  • and I can see, OK, it was spending from c838.

  • It was spending from this transaction, not just

  • an address.

  • So I mean if you're coming at this sort of new it's like, OK,

  • fine, why do you keep talking about this?

  • But if you've been working on these things, a lot of people,

  • myself included, for like six months a year

  • I looked at these websites and I'm like,

  • oh, this is how it works and then six months in or something

  • looking for code, and I'm like, wait, huh?

  • This code is wrong, but no, this is the bitcoin code

  • that actually is running.

  • And so it's a weird thing to sort of get used to.

  • Like no, you're not spending from an address.

  • You don't show the address at all when you spend from it,

  • you spend from a specific output.

  • OK.

  • So that leads to some weird issues.

  • Specifically, what gets signed?

  • So to some extent you're signing the whole transaction.

  • You sign.

  • You want to sign everything.

  • When you're saying I'm sending money from here,

  • I'm sending it to here, you want to make sure

  • that your signature covers the entire transaction so

  • that people can't add stuff after or remove stuff.

  • So you want to sign the inputs and outputs.

  • But the inputs contain signatures

  • and you can't sign the signature.

  • That doesn't make any sense.

  • The signature is the thing you're putting on at the end.

  • So it's sort of weird.

  • You've got this document and you have a little line

  • at the bottom for the signature.

  • But should the signatures be maybe a separate page that

  • refers to the previous page?

  • It's actually kind of a weird confusing problem.

  • So in practice, in bitcoin, what Satoshi did in 2009,

  • you take the whole transaction, but you

  • remove the signature fields.

  • You basically zero them out.

  • Just put a zero there and then you

  • sign that sort of signatureless transaction.

  • And then you put that signature in after the fact.

  • And so that means if you change any bit of the stuff that gets

  • signed other than the signature, the signature will break.

  • So does that make sense?

  • You have these empty lines kind of,

  • and the idea is you empty them out, you make them blank lines,

  • and then you take that whole message, hash it, including

  • the empty parts, and then paste in those signatures

  • after you've signed.

  • You don't empty out every line, the line that you're

  • specifically putting the signature in,

  • you actually put a different few bytes

  • in there, which leads to other problems

  • that I can maybe mention if I've done.

  • So this seems OK.

  • It's like well, look, I can't sign the signatures, sure,

  • but if you change any bit of the stuff I'm signing,

  • the signatures now break.

  • So this seems perfectly safe.

  • No one can change the amounts I'm sending.

  • No one can change where I'm sending it to.

  • No one can change where I'm sending from.

  • All these things get covered in my signature, so I'm good.

  • Problem.

  • The transaction ID, the way you refer to transactions

  • is the hash of the whole thing.

  • The txid does not zero out the signature fields.

  • So the identity of the transaction itself, the way

  • to point to and indicate where you're spending from,

  • that includes the signatures.

  • So that also seems like, well, that's OK.

  • When I point to something I'm indicating

  • the whole transaction, the whole signed transaction.

  • But the problem is that can change.

  • The signature itself may be malleable,

  • and in bitcoin it is.

  • There's third party malleability problems.

  • So the simplest one was leading zeros

  • where all these things are numbers.

  • You could say, OK, someone's got a signature.

  • It's this big, long string of bytes.

  • I'm just going to put zeros in the front.

  • I'm going to put a zero byte in the front of it,

  • and that doesn't change the meaning.

  • If someone says, I'm sending you $1,000

  • and I put a 0 front of the one and 1,000.

  • Well, it's still 1,000.

  • However, for the purpose of a hash function,

  • if you have a zero byte in front,

  • that changes the whole hash.

  • And so they got rid of this pretty early.

  • They sort of made it so that you had

  • to have the exact right number.

  • You can't have any leading zeros.

  • But the first one was just, oh, I put a 0 in the front.

  • The harder one is called low s, where part

  • of the ecdsa signature scheme.

  • I showed before that it's this curve that's

  • symmetric about the x-axis.

  • Whether the thing you're indicating

  • is on top of the curve or it's sort of reflection

  • on the bottom, it's valid either way.

  • So for any given signature, there's

  • another signature that will be valid.

  • You just sort of flip it, make it negative or positive.

  • So now there's a standard, OK, you need to have high s.

  • Low s signatures should be invalid.

  • Both of these are really tricky because they're

  • third party malleability.

  • Anyone can just listen on the network, see a transaction,

  • change the signature.

  • And in doing so they will change the txid,

  • which is how all the software refers to transactions.

  • So it looks like a new transaction

  • to most of the software.

  • And the transactions are still valid.

  • The signatures are still valid and you're not

  • sure which one will get in.

  • There's also first party malleability, or in some cases

  • second party if you're doing transactions

  • with multiple people signing.

  • So I'm not going to go back into the elliptic curve signature

  • algorithms, but there is a nonce.

  • There's randomness that you inject

  • into the signing process.

  • It's not deterministic.

  • It's not that given a message and my private key.

  • I always compute the same signature.

  • No, that's not how it works.

  • There are signature schemes like that,

  • but in the case of the elliptic curve stuff that bitcoin uses,

  • you have to make up a random number to make each signature,

  • and no one knows what that random number is.

  • So you could make up different random numbers.

  • You can make as many signatures as you want.

  • So given a message and your private key,

  • you can make arbitrary number of signatures

  • that are all different signatures,

  • but they're all valid signatures.

  • There is a sort of standard for how to make them

  • the right way not randomly.

  • It's basically take the hash of your private key

  • and the message being signed.

  • Put them together, hash that, and use that

  • as your random number because then the idea is well,

  • it's got secret information in it

  • as well as the message specific information in it.

  • So no one's going to be able to guess what it is so,

  • and it's still kind of message dependent

  • so it'll change each time.

  • So there is that, but that's something you can do.

  • It's a really good idea because if you

  • use a non-random k, if someone can guess k

  • or if your random number generator's broken,

  • they can steal all your money.

  • They can figure out your private key.

  • So you don't want to be dependent on generating

  • randomness.

  • A nice way to model it is, OK, have some initial event where

  • you're putting in random numbers and you're storing them

  • and then from then on you want everything to be deterministic,

  • then you don't have to rely on random number generators.

  • So it's really a good idea to use this.

  • And I use it in my software.

  • Most things use this kind of standard.

  • However, you can't verify that anyone's actually using it.

  • It's purely internal.

  • It's a internal way for you to make your own signatures,

  • but no one can actually--

  • can you prove?

  • No.

  • I'm not going to say you can't prove you're using it,

  • but not in any reasonable fashion.

  • Yeah.

  • So no one knows if you're doing it.

  • So this is an attack where you can say, OK,

  • I'm going to make a whole bunch of different signatures.

  • They're all going to be valid, but that

  • will mean I've got a whole bunch of different transactions

  • that are doing the same thing.

  • So maybe the question is, what does this really do?

  • Does this really hurt?

  • If someone dots an eye on your check, it's the same amount.

  • It's going to the same place.

  • Who cares.

  • Outputs are the same.

  • Inputs it's pointing to are the same.

  • It's just this sort of annoying thing.

  • OK, I tweaked it and I changed the txid.

  • No big deal.

  • Well, in some ways, yeah, it's no big deal,

  • but a lot of wallets didn't deal with this well.

  • So let's say you're running a wallet, you make a transaction

  • and you sign and you broadcast transaction 2d5cac

  • and it never gets confirmed, and instead someone out there flips

  • a bit, changes your transaction to 9cba3e

  • and that gets confirmed, and your wallet just

  • says, yeah, this transaction you sent never got confirmed.

  • There's wallets that did that.

  • Most of them have fixed it by now.

  • But if you're thinking of transaction IDs

  • as the identity txid, this is the name of the transaction.

  • I create it, I'm watching it to see when it gets confirmed,

  • and I'm not looking for some malleated version.

  • I'm just watching this thing that I created, never

  • gets in a block.

  • Weird, and it's just stuck in the wallet.

  • So there are definitely wallets, and I think

  • everyone's fixed it by now.

  • But a couple years ago, definitely wallets

  • that would have these problems.

  • It's a wallet problem.

  • Your money got to the right place.

  • You just need to sort of either delete stuff in your wallet

  • or upgrade the software or tell it to somehow forget

  • about this transaction and actually

  • look on the blockchain for everything

  • similar to your transaction.

  • But it did do some damage.

  • So, I don't know, 2014 the Mt.

  • Gox thing where Mt.

  • Gox got hacked supposedly and lost all the money,

  • they blamed transaction malleability,

  • which was kind of interesting.

  • There may have been an attack on Mt Gox that used transaction

  • malleability.

  • The attack probably was this, which was log into Mt.

  • Gox, withdraw some coins, modify the txid to this,

  • and then it gets confirmed, you get your coins,

  • and then log into Mt.

  • Gox and say, hey, this never happened.

  • My withdrawal didn't work and then

  • their system would automatically issue a new withdrawal

  • transaction.

  • And so you could just start taking all the money out

  • and your balance on the system's like,

  • well, we keep trying to send you money

  • and it keeps never getting confirmed.

  • And so we keep making new ones.

  • I don't know to what extent that that actually happened.

  • It couldn't have been the whole thing for Mt.

  • Gox definitely.

  • There's still a lot of uncertainty about that.

  • But it's indicative.

  • If you write your own software and it's not

  • accounting for these things, you may be losing money

  • once people say, hey, this didn't work, make a new one,

  • and then you keep doing that and losing a ton of money.

  • But that's pretty sloppy practice.

  • Another issue.

  • If you're spending from a unconfirmed change

  • output or an unconfirmed output--

  • so you make a transaction, you send the two different outputs,

  • you've got a txid.

  • And you're sending five coins to this person

  • and three coins back to yourself.

  • That three coins back to yourself output,

  • you might want to use it again pretty quickly.

  • Sometimes this happens.

  • And so you've got a change output that's

  • from transaction 1, 7feec1.

  • So you're going to now spend that change output, however

  • the txid of transaction one changes.

  • So you're saying where you're spending

  • from is no longer valid.

  • And this is a big problem because now you've

  • signed a transaction that you think is going to be valid,

  • but the money you thought you were spending sort of

  • moves out from under you.

  • And so that transaction's no longer valid.

  • tx2 is now invalid.

  • It refers to something which can never

  • be confirmed because there's a different transaction that's

  • almost the same, but they're mutually exclusive that

  • did get confirmed.

  • OK.

  • So this is bad.

  • It doesn't seem that bad.

  • And so for years in bitcoin this was a problem

  • that while it dealt with, software and people

  • would be like, oh yeah, you have to backup your keys,

  • delete your whole database, and rethink the blockchain

  • and then it'll find the right transactions.

  • Kind of hacky work arounds like that where

  • it didn't happen too much.

  • It wasn't a great attack.

  • You can annoy people.

  • You don't get any money.

  • So wasn't a huge deal, but it was annoying.

  • But the idea is you can always re-sign.

  • You've got your private keys.

  • If the money you are receiving sort of shifts around

  • and changes its location, well it's still yours.

  • You just need to re-sign.

  • But what if you can't re-sign?

  • So the case of multisig where in most cases when you're

  • doing transactions if you just have one key, it's just you,

  • that's fine.

  • In the case of multisig usually you're

  • all friends to some extent and you're

  • all in the same organization or multiple devices that you own.

  • But you can have sort of adversarial multisig

  • where you're assigning transactions

  • with people who are you're sort of cooperating with them,

  • but you may not really trust them,

  • or they might be potentially attackers, things like that.

  • You can definitely sort of extend your multisig model

  • into that.

  • And there could be multisig pre-signed transactions

  • where, OK, we've got this two of three output

  • address, this output that exists,

  • and one of the two or three has pre-signed a transaction

  • and hands it over to me and then they disappear.

  • And they say, oh OK, well I'm going to now sign my side.

  • But if malleability occurs and the transaction ID changes,

  • that signature is no longer valid, signing something

  • that's not there anymore.

  • So this is very important in payment channels lightning

  • network stuff that I'll get to in a few days.

  • And so it wasn't so much that malleability

  • was like a showstopper bug and everyone was losing tons

  • of money, it was that it was preventing

  • kind of new, cool things from happening

  • because there were a lot of problems with,

  • OK, let's make this construction where we put money

  • into a multisig account and then I sign like a refund

  • transaction that's got a lock time before I actually fund it

  • and things like that where you couldn't reliably do it

  • because if either party modified their signature,

  • they could break the whole thing and they could have a tax where

  • it's like, OK, we're doing something together.

  • Oh look, it's got stuck.

  • Well both of our coins got stuck in this place.

  • Hmm.

  • Now it's sort of a hostage situation and you can say,

  • well, I think I should get 1 and 1/2 and you should get 1.5.

  • It's like wait, we both wanted 1.

  • So there is a tax that could happen.

  • And so this malleability was a problem

  • for people trying to do new, cool things.

  • So how do you fix this?

  • Any ideas?

  • Non-malleable signatures?

  • So the one we did for the first homework.

  • Does anyone have an idea about why the lamport signatures were

  • non-malleable, like from problems at one?

  • Yes, it was right.

  • But yeah, they weren't.

  • There's no randomness for one.

  • I'm pretty sure if you flip any of the bits it's not

  • going to work.

  • So lamport signatures are an example where, yeah, it's

  • non-malleable.

  • You can't produce multiple different signatures

  • on the same message.

  • So that's good.

  • The thing is many useful signature schemes

  • are malleable.

  • So to just say no, you have to use a non-malleable signature

  • scheme, it's not a great answer to the question.

  • I'm pretty sure there's some weird malleability

  • stuff in RSA.

  • A lot of the systems have randomness in there

  • and they're malleable.

  • So an idea that I had like 2014 and I

  • was sort of going for was just don't sign your inputs at all,

  • only sign your outputs.

  • So you don't actually specify where you're sending money

  • from in your signature.

  • You do have to still specify in your transaction

  • because people need to know, but you

  • say I'm only going to sign off on the outputs.

  • The endorsement of my inputs is implicit

  • because the keys match.

  • So I don't actually sign off on which

  • key I'm sending from to something that's redundant.

  • You know I'm sending from these inputs

  • because the keys match up and the signature's

  • valid for this key.

  • I really like this idea still.

  • I think it's really fun.

  • You can do a lot of cool stuff with it.

  • It's also dangerous.

  • It allows signatures to be replayed,

  • which is sort of one of the big points of having

  • utxo's because if you send two outputs--

  • I have address one.

  • I send two outputs.

  • So I've got output one, output two, and this one

  • has five coins, this one has three coins,

  • and they're both the same address,

  • both the same public key, and then I want to spend them.

  • And if I use this sort of signature scheme

  • where I don't actually sign which input I'm spending from,

  • it can be used on either.

  • So maybe I'm not aware of this 5-1 yet,

  • or it just hasn't happened yet, or I haven't seen it,

  • and I say, yeah, I'm going to make a signature sending

  • three coins over here and then someone

  • can malleate the transaction without touching the signature,

  • and pointing over here, and the signature

  • wouldn't apply to either.

  • And then this is a really good deal for the miners

  • because now I'm spending five coins and only outputting three

  • and the miners get the two coins difference.

  • And so that's pretty dangerous.

  • And also, even if they're the same I just say, hey,

  • I'm sending three coins to you and then as

  • soon as the receiver sees this output,

  • oh, it'll also work here.

  • I'm going to take another three coins.

  • So this is mitigated by not reusing addresses,

  • but people reuse addresses.

  • So it is dangerous.

  • I think in the context of multisig you can reliably

  • say like, OK, we're not reusing addresses

  • because these addresses are the combination of multiple people

  • working together.

  • But it would allow really cool things

  • where you could sort of work backwards, compute a public key

  • that you could prove no one knew the private key to,

  • but you could still sign with it.

  • Like really weird crazy stuff.

  • Anyway, people were still talking about it

  • a week or two ago.

  • Like, oh, we could do these cool things with it.

  • But it's dangerous and so it's like we're not sure

  • if it's worth it.

  • OK.

  • Any questions about this transaction malleability

  • so far?

  • OK.

  • So any ideas of what you actually

  • do to fix malleability?

  • Nobody?

  • OK.

  • we'll find out in one minute.

  • Segregated Witness.

  • I don't think it's a good name.

  • Separate signatures would be a much easier to understand name.

  • So Peter Wuille who is really good at bitcoin

  • and makes all these cool things, he's

  • not the best at naming things.

  • Makes lots of cool stuff, but just makes

  • whatever weird technical name.

  • So it's a pretty straightforward idea.

  • The idea is when you're signing a transaction you hash

  • a bunch of data design, but you don't include the signatures

  • in the data you're hashing to sign them

  • because that wouldn't make any sense.

  • You can't.

  • Do the same thing when you're referring to transactions

  • themselves as txids.

  • So in the exact same way that when you're signing,

  • you hash the data without the signatures.

  • When you're pointing to a transaction

  • to say I'm spending from there, also

  • don't include the signature data.

  • Just take the hash of the data without the signatures.

  • Yeah.

  • You just sort of have this pointer.

  • You've got a pointer of previous input

  • and you've got the outputs, but the signatures aren't in there.

  • So the idea is the signature can change and the transaction ID

  • doesn't.

  • But what about backwards compatibility?

  • So this is a great idea.

  • Why not go for it?

  • But how do you make it backwards compatible so that old software

  • can still work with it?

  • This seems like a soft fork is I'm

  • adding new rules to the system I'm putting

  • further restrictions on.

  • This seems like just a change.

  • It seems like, look, I'm now defining

  • something in a different way.

  • I'm removing the signatures from the txid.

  • How do we make this not appear to be a hard fork?

  • Hard fork's easy.

  • You just say, look, we're changing the entire system.

  • From now on txids don't have signatures.

  • So any ideas how you do this in a backwards compatible way

  • or just give up hard fork?

  • AUDIENCE: Adding restrictions that screw with [INAUDIBLE]..

  • PROFESSOR: So you can't change old transactions,

  • but having both at the same time is tricky.

  • So the idea is it would have been easier

  • to start off this way.

  • If Satoshi had just started this way, it would have went great.

  • He didn't think of it.

  • It wasn't a super obvious thing that--

  • so you can do it as a soft fork.

  • The way you do it is you make new outputs

  • which don't require any signatures at all

  • and then you just don't have any signatures.

  • This seems kind of silly.

  • Signatures are pretty important, otherwise any arbitrary person

  • could just take all the money.

  • But you redefine things in a way that new people know about

  • and old people don't.

  • So this is actually what a segwit output looks like.

  • The output script is just a zero and then a pubkey hash,

  • and then the sig script, the field for a signature

  • is just nothing.

  • You just don't put a signature there.

  • And then when you're running the stack

  • you end up with a pubkey hash on the top of the stack, which

  • is some number and the interpreter

  • looks at a number that's non-zero as true.

  • Like in C or things like that.

  • And the bitcoins move.

  • It's great.

  • Someone was joking that you could potentially make this

  • into a hard fork, because what if the pubkey hash was zero,

  • and you found a pubkey that hashed to zero and then you

  • signed signed with it and then segwit would accept it but old

  • nodes wouldn't.

  • Actually, that doesn't work, but it's sort of--

  • Anyway, if you're running the regular bitcoin software,

  • you see this and no signature, and you're like yeah,

  • this doesn't need a signature.

  • It's just a hash.

  • I don't know what this is.

  • Fine, the coins move.

  • It evaluates to true.

  • But the new version of the software

  • sort of adds a restriction to this kind of output.

  • It says, look.

  • If you see this, this is a template.

  • This doesn't actually mean put a zero on the stack

  • and put a pubkey hash on the stack.

  • It means something else.

  • Now, it means this is a pubkey hash and look for a signature.

  • But look for a signature in a different place.

  • Don't actually put it in the place

  • you're supposed to put signatures,

  • put it in a new place.

  • And don't tell the old software about this place.

  • We add a new field to the transaction inputs.

  • It's sort of in the inputs, but they put it at the end.

  • It's kind of weird.

  • Logically, it's in the input.

  • It's the same, but physically it's not, which is silly.

  • I don't like that aspect of it.

  • But the idea is there's this new field in the inputs called

  • the witness field, and in cryptography,

  • witness sort of means signature in this case anyway.

  • It's a little bit more general.

  • But the old software never sees it.

  • So the idea for here's the old transaction format.

  • You've got your tx id and index, 36 bytes sort of pointer

  • to what you're spending, and then

  • a signature which is 100 bytes, and then this stays the same.

  • And the new tx format.

  • The idea is, yeah, the signatures field

  • is still there.

  • You just leave it empty.

  • So you're not putting any signature.

  • It doesn't look like you need to put a signature

  • to the old software.

  • And then you have this third thing,

  • which is witness, which is the same as signature basically.

  • Slightly different format.

  • And technically, they put them all together

  • and put it at the end, which is kind of annoying.

  • But anyway, logically this is how they do it.

  • They make a new version of the transaction format.

  • So the old version looks like empty signatures.

  • The new version looks like here's

  • this useless empty signature field,

  • and here's where the real signatures are.

  • And you omit this to the old nodes.

  • So when people ask for witness transactions,

  • when people know about this new system,

  • yeah, you give it to them.

  • So they say hey, yeah, I'm hip to this new segwit thing.

  • Give me a segwit transaction.

  • And you're like, OK, here's the witnesses at the end.

  • But when they don't seem to know about this

  • and they're running older software

  • and they say, hey, just give me the transaction,

  • you give it to them without the witness at all.

  • It still looks valid to--

  • either one looks valid.

  • However, the new people, they know that if you see this,

  • it does not mean push a zero, push up pubkey has.

  • There is a new rule that no, this is a template.

  • This is segwit.

  • I need a signature, and I need it to be in the witness field.

  • So if a new node gets a transaction without a witness

  • that they know needs a witness, they will declare it invalid.

  • But the old nodes won't be able to distinguish.

  • They'll say, well, it looks like no signature is needed here.

  • OK.

  • So you're sort of tricking the old software

  • into accepting things that they shouldn't actually

  • accept in some cases.

  • There may not be a valid signature that

  • goes into the segwit transaction,

  • but old software will still think it's OK.

  • So this is how you make it into a softfork.

  • It's kind of ugly.

  • But, yeah.

  • Do you have a question?

  • AUDIENCE: Yeah.

  • Is this still implicitly?

  • So when the signature is zero, [INAUDIBLE]..

  • PROFESSOR: No, because it's based on the output script.

  • You could make you a different output script that

  • would have a signature that no signature requirement,

  • and it would still work even with this new system.

  • So it's just based on--

  • we changed the definition of an output script.

  • So have this sort of template.

  • You can still do weird--

  • like you could put without a zero in front.

  • You could put just a pubkey hash,

  • and that's not defined in segwit.

  • That's not defined anywhere.

  • It would just be, OK, yeah, it evaluates

  • to true without a signature.

  • Anyone can spend it.

  • And you could do that--

  • that would have to be a non-segwit transaction.

  • The only way to use a segwit transaction

  • is to have the special format for the output script.

  • Any other questions about network stuff?

  • Yeah, and this solves malleability

  • in a pretty good way.

  • For the old software, the old nodes,

  • well, they can't change the signature

  • because there isn't one.

  • There's nothing to malleate.

  • And from the new node's perspective,

  • yes, the signature can change, but that doesn't

  • affect the transaction ID.

  • Both old and new nodes still agree

  • on the exact same transaction ID.

  • The transaction ID does not include the witness field.

  • So when you're calculating a transaction,

  • you include all this for backwards.

  • And if there's this actual signature there,

  • that gets into that the txid.

  • But if you're using empty signature

  • and only using witness, then it doesn't get into the txid

  • at all.

  • So both old and new software agree,

  • and that's important, because if they didn't the merkle routes

  • would look wrong.

  • You take all the txids, put them into a merkle route,

  • put that in the header.

  • And that's really important that everyone agrees on that.

  • So they do work together, So that's cool.

  • So this is kind of interesting.

  • You've got two different old version,

  • new version operating at the same time on the network.

  • And they agree on a lot of stuff,

  • but they also sort of disagree on some things.

  • So they agree on outputs of the transactions,

  • and they agree on which inputs there are.

  • But they have a slightly different view

  • of what these inputs are.

  • Some of them think, no signatures here.

  • Some of them think, yeah, there's a signature here.

  • That's weird.

  • They don't agree on how things got spent.

  • What are some other things that these two different classes

  • of nodes would not agree on?

  • Any ideas?

  • So you understand how they see different transactions.

  • What are some other aspects that may

  • be sort of interesting for this consensus system

  • that we have different views on?

  • I forget what I put.

  • I put two things.

  • Any?

  • Hint.

  • Biggest argument since 2010 in bitcoin.

  • What do these two different classes of nodes not agree on?

  • Yeah.

  • AUDIENCE: Size?

  • PROFESSOR: Well, the transaction size.

  • Yeah.

  • So they both see two different transactions.

  • One of them sees it with these signatures, one of them

  • sees it without.

  • They don't agree on how big the transaction is.

  • They agree on the txid.

  • They agree on where the money is going, where it's coming from,

  • but they have completely different views

  • of how big this transaction is in terms of number of bytes.

  • So this is really interesting, For many, many years

  • since 2010, everyone's been arguing.

  • And one of the big aspects of, oh, if we

  • want to increase the block size, that's a hard fork.

  • Everyone up to now, we're enforcing.

  • The block size must be one million bytes or less.

  • There's no way around that, right?

  • You can't just increase it.

  • We've got this rule.

  • You're breaking that rule.

  • This is a sneaky way to break the rule but still not tell

  • people you're breaking the rule.

  • Say, OK, I'm enforcing a rule that there's one million bytes.

  • As far as I'm concerned, there are less than one million bytes

  • in this set of transactions.

  • The new nodes know, yeah, there's more than one million.

  • There's like two million bytes in here.

  • We just didn't tell the old software

  • about all these extra bytes.

  • So this is kind of an interesting thing you can do.

  • So you can increase the transaction size

  • without telling the old nodes.

  • So yeah, the old nodes don't see the hundred something bytes

  • with the pubkey signature.

  • So they see transactions that are much smaller.

  • Around half the size--

  • depends, but half the size ish.

  • So those bytes, they won't count those bites

  • towards the one million byte block size limit.

  • So this ends up being a soft fork that allows

  • you to increase the block size.

  • In a kind of sneaky way, right?

  • The old nodes don't think the block size is increased.

  • They think it's less than a megabyte, and they also think,

  • this is weird.

  • I haven't seen any signatures for a while.

  • | seems to be using these transactions that don't require

  • signatures, and somehow everyone's

  • getting along and not stealing each other's money

  • despite the lack of a need for signatures.

  • But these are not intelligent people.

  • These are software programs, and it'll just run.

  • And it'll, OK, yup, yup, yup.

  • This evaluates to true.

  • So it's kind of cool.

  • Block size entry softfork.

  • However, you Institute a new rule with segwit.

  • You don't want to just say for the new rules,

  • we don't count signatures towards the one megabyte limit,

  • right?

  • You could do that, but then people might spam signatures.

  • Let me make a giant signature or some kind of like 50

  • out of a million pubkeys thing and spam the network,

  • and then it will still be under a megabyte of non witness data.

  • So yes, so now I've got two classes of data.

  • You've got all the data that everyone sees,

  • and all the witness data that only the new nodes see.

  • So what they did is they said, OK, the witness data still

  • counts towards that limit.

  • But each witness byte counts as a 1/4 of a regular byte.

  • OK, kind of weird, but yeah.

  • So in practice in the software, what they do is they say, OK.

  • We multiply the non witness bytes by four.

  • So every byte in the outputs and every byte in the txid input

  • things counts as like four bytes.

  • And then, the witnesses just count as one regular byte.

  • And then we now say, OK, the new block size

  • is four million bytes.

  • But four million weight units, because they're sort of, OK,

  • we've got different weights for things.

  • This actually makes sense, because the utxo set

  • is what you really want to minimize,

  • that database we keep updating every block.

  • And the signatures don't go into the utxo set.

  • So the signatures you don't actually

  • have to store on a fast, low latency storage.

  • So in a very real sense, the signatures

  • are sort of OK to make bigger.

  • They don't really cost as much to the network to store.

  • So having this discount where you say,

  • OK, the signatures, you can have a bunch of them that

  • doesn't really count as much.

  • But the outputs we really need to minimize.

  • So this one fourth is somewhat arbitrary,

  • but there are some calculations and a little handwaving.

  • But it's like yeah, this is about what it should

  • be to try to balance things.

  • So the end result. If you have this discount,

  • you can put about 80% more transactions in a block.

  • You get about 1.8 megs.

  • It depends, right?

  • It depends how big your signatures are.

  • So the maximum would be you have a block that

  • has one transaction with just a giant signature that's

  • like almost four megabytes.

  • And the old software would see this block

  • as being really tiny, like 100 something bytes.

  • And the new software would see, oh yeah,

  • this block is almost four megabytes.

  • But that's sort of the extreme case.

  • I remember generating some like 3.7 meg transaction blocks

  • and testing that awhile ago just to test it out.

  • It works, but in practice you're seeing about this.

  • In practice today, as segwit has been seeing more adoption,

  • you see like 1.3 megabyte blocks.

  • Not everyone's using it.

  • The idea is it's backwards compatible,

  • but you can still use your old software.

  • But it seems like more and more software is using this.

  • You get a discount on your fees because your transaction

  • seems to be smaller.

  • You can fit more of them in a block.

  • So that's kind of cool, and that's

  • sort of an incentive to use it.

  • OK, other thing you can do.

  • You can commit to signatures.

  • This is a little tricky.

  • If the signatures aren't in the transaction ID,

  • then they aren't in the merkle route, right?

  • So there's nothing really committing the signatures

  • into the block chain.

  • And this would actually work.

  • You could say, no, I have a signature.

  • I'll give it to you, but it could change.

  • It could be maleated, so it could be weird, though.

  • You could agree on a utxo set, but you could disagree

  • on how exactly you got there.

  • So one example would be multisig,

  • where there's two of three multisig, Alice, Bob and Carol.

  • Two of them need to sign.

  • And then on my computer, it says that Alice and Bob signed,

  • and on your computer, it says that Alison and Carol signed.

  • That's weird, right?

  • For accountability.

  • If we want to know who exactly endorsed these things,

  • we might disagree on it.

  • There would be no canonical here's the blockchain,

  • here's who signed.

  • The transactions themselves would all still

  • be the same but not the signatures.

  • So that's kind of weird, but it also seems like well,

  • maybe that's part of the price you pay for fixing malleability

  • in this way.

  • If we're not putting the signatures into the thing that

  • gets committed to in the block chain, then yeah,

  • signatures can change.

  • So anyway around this?

  • It sort of seems like yeah, that's the trade off.

  • Sneaky way around it?

  • Sneaky fun?

  • No?

  • You know.

  • OK, so what you do actually, you commit the signatures

  • but in a weird way.

  • OK, so here's the regular old merkle tree, right?

  • This is the merkle route that you put in the header.

  • Here's all the transaction IDs, and so you

  • make these intermediate hashes.

  • This is the hash of these two things concatenated together,

  • this is the hash of these two things concatenated together.

  • Now, if the txids don't have signatures,

  • there's no commitment to the signatures in the top hash.

  • What you do is this.

  • You say, OK.

  • I'm going to make these new witness

  • txids, hashes of transactions that do include the signatures.

  • In practice, you could just make a hash of just the signatures.

  • That would also work.

  • They just take the whole thing.

  • And now I've got this other reflected

  • merkle tree kind of thing, where OK, I

  • take the hash of these two witness transaction IDs,

  • put it here, and this one just drops down.

  • It's another merkle tree, and then you

  • get a root for all those things called the witness root.

  • And then what you do is you put the witness root

  • in the coinbase transaction.

  • Put in an opp return.

  • And the idea is the coinbase transaction

  • doesn't have any signatures anyway, right?

  • So you can put it in there.

  • You don't need to include the transaction

  • zero in this witness tree.

  • Wait, they do though, right?

  • But maybe this is slightly inaccurate in that I think

  • they actually do make a witness txid

  • for the coinbase transaction, but they define it

  • as being zero or something.

  • I think-- I don't remember.

  • So it's weird, right?

  • But you could do that.

  • They define a zero, or they let you pick anything you want.

  • I would have to look at the code.

  • But anyway, the basic idea is for these anyway,

  • you take the hash of the whole thing including the signatures,

  • put it in the witness root, put the witness root

  • in the coinbase transaction, and the coinbase this transaction

  • gets in to the merkle root.

  • So you are committing to all the signatures

  • but on the block level, not the transaction level.

  • So in the case where I think Alice and Bob signed.

  • Oh, I think Alice and Carol signed.

  • You can have those two transactions floating around

  • on the network, and they have the same txid.

  • And so who knows which one's getting into a block?

  • They look almost the same.

  • Some of the software won't be able to pick between them.

  • However, once it gets into a block, one of them

  • will be committed to.

  • It's like, oh, ended up being Alice and Carol.

  • Those two signatures actually got into the blockchain.

  • However, you could prove, hey, no I

  • had this Alice Bob signature, but then it

  • never got into the blockchain, and maybe

  • you made it after the fact.

  • It never gets committed to.

  • Yeah.

  • AUDIENCE: Also, a bunch of pool software

  • just doesn't always do this.

  • PROFESSOR: A bunch of pool software doesn't do this?

  • What you mean?

  • AUDIENCE: It's the responsibility

  • of the pool software to make this construction,

  • but [INAUDIBLE]

  • PROFESSOR: Have it implemented as in they just

  • don't support segwit?

  • AUDIENCE: No, so they do the first part,

  • but [INAUDIBLE] segwit support.

  • PROFESSOR: OK, but wouldn't that just not work?

  • How--

  • AUDIENCE: It works, because--

  • [INAUDIBLE]

  • PROFESSOR: But to the new software, if you don't have--

  • so segwit is the software, right?

  • You say, OK, we define these new transaction types.

  • We define this template where if you have a zero and then

  • this pubkey hash.

  • It also says, I require the coinbase transaction

  • to have this output that says, op return aa9c

  • whatever this little four random bytes,

  • and then I'd require it to have the witness root in here.

  • AUDIENCE: I'm guessing they just don't

  • include segwit transactions?

  • PROFESSOR: So I've seen that a lot.

  • Yeah, so a lot of--

  • AUDIENCE: [INAUDIBLE]

  • PROFESSOR: Yeah, a lot of the software

  • says, I'm not going to do this.

  • So the other thing that's nice--

  • segwit transactions to old software look non-standard.

  • So I mentioned before that there's standardness rules

  • where, this looks weird.

  • I'm not going to mine it.

  • I'm not going to relay it to my peers, but if I it in a block,

  • well, OK, fine.

  • So segwit transactions look very non-standard.

  • It looks like there's no signature.

  • That's weird.

  • There's this zero.

  • What's going on?

  • So yeah, you can you can still run a miner

  • and just not even know about segwit.

  • It's a little dangerous, because you

  • might see a block that is segwit invalid,

  • but you wouldn't know it and so you

  • might try to mine on top of it.

  • So there are some risks, but in general

  • if most people are doing the right thing,

  • you could still mine without knowing about this stuff.

  • So any questions about committing to the signatures?

  • What else?

  • Oh yeah, so you've got this upgrade path.

  • That's kind of cool.

  • So it defined zero pubkey hash as hey,

  • this is now pay to pubkey hash, right?

  • Interpret this weird template as the regular hey,

  • verify this signature.

  • It also, when segwit softfork happened,

  • redefined a whole bunch of other templates like this.

  • So one and then some data, or two and then some data.

  • Just put a number, and then put a bunch of data.

  • All of these are defined as future upgrades.

  • So if you see a three block of data, you now say, yeah, OK.

  • I know that's segwit version three.

  • My software will maybe pop up something saying hey,

  • people are using segwit version three.

  • You're only aware of segwit version zero.

  • But you'll consider it non-standard.

  • You won't relay it.

  • But if it's in a block, yeah, sure.

  • And you don't require anything about the signature.

  • You'll just say, yeah, whatever weird witness data

  • you provide for these outputs, I don't

  • know how to interpret them.

  • I'm just going to let it all go through.

  • What that means is--

  • there's no witness needed.

  • If a witness is provided, you just

  • ignore it and you think everything's fine.

  • This allows easier upgrades.

  • You have 16 new versions to upgrade to.

  • Yeah, you don't require any specific things about this,

  • so you can make new scripts, you can make a completely different

  • script interpreter.

  • You could say, OK, we're going to port EVM

  • to bitcoin and disable some of the op codes

  • that don't apply, and have that kind of thing.

  • Have new smart contracts.

  • So it's kind of a fun, like yeah, we will--

  • and it's a nice, easy upgrade path.

  • You could have multiple different things,

  • things like that.

  • The code will be easier.

  • Don't do it today.

  • You could construct an output that's

  • a two byte and then your pubkey and send it out there.

  • It will be probably stealing by miners, because everyone else's

  • node will say, yeah, I don't know how to interpret this yet.

  • There's no rules about this yet.

  • OK, let me show you some segwit stuff I looked for.

  • OK, so there's actually nested segwit.

  • There's an an ugly--

  • I didn't like it, but--

  • this is like somewhat designed by committee E. There's also--

  • this is 2016, right?

  • AUDIENCE: People lose so much money on segwit two years ago.

  • PROFESSOR: So the other thing I would say with this,

  • I was like, OK.

  • You've got this witness txid.

  • And I remember people working on segwit

  • and I said, hey, why don't you make the transaction IDs

  • a merkle tree of the inputs and outputs instead

  • of just the hash of everything all together?

  • Then, if you had a really big transaction,

  • you could prove that an input had been spent without sending

  • the whole transaction over.

  • And I thought that was a cool idea.

  • And then when I talked to people, they're like yeah,

  • Peter Todd already said that like three weeks ago.

  • And whatever, we're not going to do it.

  • It's too late.

  • We already coded stuff.

  • Oh well.

  • And that's the fundamental aspect of segwit.

  • You can't really upgrade that in the new script versions,

  • so whatever.

  • There's also still a hard rule on transactions themselves

  • being less than a megabyte, I think.

  • So it's not a huge deal, but it would have been cool.

  • Another thing is there's actually a way--

  • so there's no address defined for this, right?

  • Address is mapped to output scripts in all the software.

  • And so when you say, OK, I'm sending

  • into 1aeecc or whatever, it knows

  • how to interpret that address, build the 20 byte pubkey hash

  • script, and send to it.

  • And vise versa, right?

  • So from the address, you can get this output script,

  • and from the output script you can get an address.

  • So when an old software sees this,

  • it's just like, there's no address.

  • I don't even know what that is.

  • I've never seen that.

  • And so people worried that oh, it's going to be weird.

  • People are going to have to upgrade to even send to people

  • using segwit.

  • So it's backwards compatible, but if you want to say, hey,

  • send me some money at the segwit address and then they can't.

  • And so you say, OK, fine.

  • Send me the money with a regular address,

  • and then we still have this malleability problem.

  • And then I have a wallet that supports both,

  • and I can move money to my own addresses,

  • and it's kind of ugly.

  • So they made this nested address thing, which I don't like,

  • because then it actually has both.

  • So you've got a signature and a witness.

  • And the signature is not a real signature.

  • It's just pointing to the witness.

  • It's really ugly.

  • There's a bunch of weird stuff in the segwit code

  • that I'm not super into.

  • I don't have to use it though, right?

  • That's the beauty of these permission-less innovation

  • kind of systems.

  • Like ew, I don't like that code.

  • OK, I'm not supporting it.

  • OK, so here's one that's nested.

  • So I was just randomly looking through a block.

  • Here's one, and you can see it's like, OK.

  • The outputs are probably also nested segwit,

  • and the input has got both a script sig and a tx witness,

  • right?

  • A tx input witness.

  • A pure one is this one f7.

  • OK, so you can see--

  • oh wait, am I not running-- what version am I running?

  • I think I'm running to 15-1 still.

  • So I'm not seeing the address.

  • There's a new address format called beck 32, bech 32,

  • which will turn--

  • so it's zero and then a script hash.

  • Zero and then a pubkey hash.

  • It says, witness, version zero, key hash.

  • There's also an address associated with these.

  • I think this version of bitcoin CLI does not show it,

  • but the new version does.

  • So I think if you guys have version 0.16.0, it will show,

  • here's the address.

  • And then you can see in the single input

  • for this transaction, there is a tx in witness.

  • And there's no scripts.

  • There's a script sig field, and it's just empty.

  • There's no actual signature traditionally.

  • There's instead this big thing.

  • Here's the signature, and here's the pubkey being revealed.

  • And then it also says, OK, here's the txid

  • without the signature, and then here's the hash or witness

  • transaction ID.

  • The hash of the whole thing including the signature,

  • and they're different, right?

  • Also you've got size so this is actually 235 bytes, right?

  • Because you're including the witnesses.

  • And then, v size, which is virtual size.

  • This is how big it looks to old software that

  • doesn't know about segwit.

  • So the new software, this knows about both.

  • The actual size or witness size is 235, v size is 153.

  • So yeah, it's not quite 50%, because this one has

  • two outputs, and the outputs don't get any smaller,

  • and the input just gets smaller.

  • And then, size, v size, and then you

  • can see what block it's in when we

  • get the coinbase transaction.

  • OK, so the first transaction in the list

  • is going to be the coinbase transaction.

  • And I can get that one.

  • And yeah, the coinbase transaction

  • has a different txid and hash.

  • Its size is 259, its v size 232.

  • Coinbase has whatever random data they want,

  • and there's the actual output, which

  • is sending to this address, and it's sending 12.79 coins.

  • And then, there's this zero value output.

  • So you can have an output that's got

  • an amount of coins set to zero.

  • It's still OK, and it's got this op return.

  • And the op return starts with aa21a9ed,

  • and those four bytes mean here's the segwit commitment.

  • Here's the witness commitment to the segwit transaction

  • hashes, the root of all those.

  • And you have to have that in order

  • to have a valid segwit block.

  • And so then we can--

  • this is segwit in action.

  • I think most blocks now will have that.

  • So there is size and v size, right?

  • And that makes sense.

  • But then you have strip--

  • no, v size is not size.

  • It's really confusing.

  • And size, weight, height, like what?

  • So size is--

  • I don't actually know.

  • I think size is interpreted the same.

  • This is the actual number of bytes for this block.

  • Weight is you multiply all non witness bytes by four,

  • and you leave all witness bytes as weight one,

  • and that has to be less than four million.

  • And you can see here, it's just under four million.

  • And then stripped size is the size that old nodes see.

  • Yeah.

  • Pretty sure.

  • Anyway, so it's kind of confusing.

  • One of the biggest problems in bitcoin

  • is names, where it's like, wait.

  • Script pubkey, and script sig script?

  • Like, what?

  • All these terms and names are really confusing,

  • and it's sort of getting worse.

  • So yeah.

  • Also, there's no v size here.

  • I think this is actually v size.

  • Anyway, so that's how segwit works in the actual thing.

  • But it's nice, because now you can reliably spend from things

  • before they're confirmed.

  • So segwit is cool.

  • Fixes malleability.

  • Increases the block size.

  • Oh, it does a whole bunch of other stuff, too.

  • OK, so one of the aspects that it fixes.

  • When you're signing a transaction,

  • let's say you have five inputs.

  • Each time you sign, you need to hash the whole transaction,

  • because it's slightly different, right?

  • You zero out all the signature fields,

  • but in the signature field for the one

  • you're actually signing, you don't zero it out.

  • You put the previous script there.

  • So it's slightly different.

  • It's totally redundant.

  • There's no reason to put it there

  • because it's already in the txid,

  • but you change things around a little bit.

  • So the idea is, I'm going to put a signature here,

  • I'm going to put a signature here,

  • put a signature-- all five of them.

  • Each time I put a signature here,

  • I hash the transaction to get a slightly different thing

  • to sign for each one.

  • It might not jump out at you, but this is actually

  • o and squared, which is bad.

  • Because the idea is, as I extend the number of signatures

  • required in a transaction, the number of inputs

  • in a transaction, the amount of data that needs to be processed

  • goes up with the square of the number of inputs.

  • Because I had an input.

  • Now, the total size of the transaction gets bigger,

  • so each time I sign, I need to take a bigger amount of data

  • through my hash function.

  • Also, the number of signatures gets bigger.

  • Or the number of inputs.

  • So this is in squared.

  • It seems fine, right?

  • You never notice, except when you do.

  • So there's pathological block.

  • There was one like 2015 early in the year where some miner was

  • like, I'm going to make this block that's

  • one giant transaction with thousands

  • and thousands of inputs.

  • And a lot of software choked on it, and it took gigs of RAM

  • to process the transaction, and things like that.

  • So that was bad.

  • Just in general, if you have a lot of little dust outputs,

  • if you're trying to aggregate them into one big--

  • I'm going to have 100 inputs and one output,

  • it takes forever to sign.

  • And it also takes forever to verify.

  • So it's pretty bad.

  • I remember sort of a silly story.

  • Tim Draper's coins.

  • He had all this dust.

  • And it was nerve wracking, because it was way more money

  • than I'm going to make in my life.

  • And moving Tim Draper's coins to somewhere else.

  • And the software by default just swept all the inputs

  • with that wallet controlled.

  • And they were looking at me like, why doesn't this work?

  • Is it frozen?

  • I'm like, no, I'm not trying to steal the money, guys.

  • Because everyone was sending all these little outputs to Tim

  • Draper's 30,000 coins or whatever, because he's--

  • and then when he tried to spend it,

  • it took five minutes to sign.

  • AUDIENCE: When people use P2 pool,

  • the software really struggles with this.

  • PROFESSOR: Yeah, so it's bad.

  • Any o event squared, this is sort of a bug.

  • Segwit actually fixed this.

  • The way they do it is they say, OK,

  • we sort of pre compute these three intermediate hashes.

  • Take the whole transaction.

  • This is sort of the global transaction data,

  • and pre compute these three things.

  • And then for each of the inputs, add another thing.

  • Here's this input specific.

  • So this is global.

  • It's the hash of all the tx ends, the hash of all

  • the outputs, the hash of this.

  • And then here is that the input specific.

  • Input specific.

  • And then hash all these things into one thing

  • and then sign that.

  • So the idea is it's o of n in that you compute these three

  • and then you sort of go down and keep

  • changing this for each one.

  • So that saves a lot of time.

  • It's a much nicer--

  • oh, you also put in the amount being spent in your signature

  • hash, which is also redundant, because that's

  • committed to in the txid that you're sending.

  • But it's really nice for hardware wallets,

  • because a lot of times hardware wallets are essentially

  • presented with here's a hash.

  • Sign it.

  • And it's a very small system.

  • It's a little chip somewhere, and it doesn't really

  • know too much about bitcoin.

  • It's just, here's a hash.

  • Sign it.

  • OK, and they don't know how much they're spending,

  • so there could be attacks on hardware wallets,

  • where they get a hardware wallet to sign something where it's

  • actually moving too much money.

  • So it's nice to be able to have the actual amount.

  • So there's a bunch of stuff like that.

  • It was a giant grab bag of all these different little fixes,

  • things like that.

  • Fixes malleability.

  • It increases the block size.

  • Does all these other cool things.

  • People didn't like it.

  • I never really understood why.

  • AUDIENCE: For the reasons you've been telling everyone about?

  • PROFESSOR: All these reasons?

  • Wait, these seem like good things, right?

  • AUDIENCE: Well, yeah, but [INAUDIBLE]

  • PROFESSOR: Oh.

  • No, that wasn't what--

  • it wasn't like people were like, oh,

  • here's some little things I don't like about it.

  • Because that was what I said.

  • That was like what everyone working on Bitcoin was like.

  • No one thinks it's perfect.

  • Everyone was like, oh, but this thing is weird.

  • Why did you do that?

  • Or why didn't you put this in kind of things.

  • But no, the people who didn't like it really didn't like it.

  • There's still a bounty on [INAUDIBLE] head, right?

  • There's death threats.

  • Someone's like, I'll pay someone to kill this guy.

  • It's all, this is going to destroy Bitcoin,

  • that segwit isn't bitcoin anymore,

  • because there aren't any signatures.

  • It's like no, signatures are still committed to, just

  • in a different way.

  • You have to build this other tree.

  • So lots of weird conspiracies.

  • I don't know.

  • It became this really sticking point,

  • and so that sort of led to Bitcoin Cash.

  • The whole idea is segwit is bad.

  • We're making Bitcoin Cash.

  • And Bitcoin Cash forked off before segwit

  • activated in the main network.

  • Interestingly, Bitcoin Cash uses this.

  • So they took a bunch of the code from segwit,

  • because this is a really good improvement

  • to signing that Bitcoin Cash used,

  • but they didn't like segwit.

  • Yeah, I'm still not like--

  • I don't know.

  • There's problems I have with it, too, but it's an upgrade,

  • and it's cool.

  • I think a lot of it was people wanted a hard fork,

  • and this was a softfork.

  • And so there's backwards compatibility,

  • and they wanted to show that people

  • have more control over bitcoin than they maybe do.

  • It might never be possible to have a hard fork

  • to get everyone on board to really switch.

  • So who knows.

  • So yeah, it was interesting.

  • It took forever, and that was the last change

  • to the bitcoin code in terms of consensus code.

  • And it was initially announced late 2015

  • in Hong Kong, and then all of 2016

  • it never-- so it activated in August of last year.

  • And now you can use it.

  • AUDIENCE: People had big interest in stopping it,

  • though.

  • At one point they were spending hundreds of thousands

  • of dollars a day to stop it from activating.

  • PROFESSOR: Yeah, so on your vert coin, you're like,

  • I'll just take the segwit code and activate it, and like cool.

  • And then people tried to stop it and spend a lot of money

  • to stop it.

  • OK, I want to say unclear why, because I don't know.

  • It's sort of weird.

  • There's a whole lot of opinions.

  • One theory is that this breaks some mining

  • chips optimizations.

  • One of the optimizations--

  • it doesn't work with a tree of height two.

  • But if you have a really tall tree, you can swap txids,

  • or you can swap intermediate nodes of the tree

  • and you'll get a different merkle route.

  • So you can see--

  • so it doesn't work here, because this has to stay in place.

  • But in many cases, the order of the transactions is arbitrary.

  • So I could flip these two.

  • It's still valid.

  • So what I might do is say, OK.

  • I have this merkle route I'm mining,

  • and then I want to flip these two, calculate

  • a different merkle route, and mine.

  • And there were some chips that maybe did this and had

  • these kinds of optimizations.

  • There was also a patent on it and all this weird stuff

  • going on.

  • It doesn't break, but it essentially

  • loses the optimization if you have this.

  • Because you're saying, OK, I'm going to have this big tree.

  • I'm going to swap something near the top,

  • and it only has to recompute two hashes

  • to get a new merkle route.

  • However, if I now have this mirror image witness merkle

  • tree underneath, if I say, OK, I'm going to swap this,

  • I'm also swapping all these.

  • And I have to recompute this.

  • Maybe I can swap some of it, but I have to recompute what this.

  • This is going to change just as well.

  • And then I have to put that in here,

  • and this is going to be at the bottom.

  • And then, I'm going to have to recompute everything

  • all the way up to the merkle route.

  • So this was called AsicBoost, and then there was a post--

  • Greg Maxwell posted this sort of like,

  • you guys, like accusatory mail on the mailing list last spring

  • saying, look.

  • We were trying to figure out a way to break AsicBoost,

  • because we think miners have this patented algorithm that

  • optimizes and it gives a 20%, 30% speed up.

  • And we're worried that the patents will make one miner,

  • have a monopoly, and everyone else won't be competitive.

  • So we're trying to think, is there

  • a way we make software to prevent this

  • from this optimization?

  • And then once they tried to look at it,

  • they were like, oh, wait.

  • Segwit does that.

  • We want to make it costly to swap things in the tree,

  • and segwit does that.

  • Oh, so basically, we're good.

  • And then he was like, oh, wait.

  • Maybe that's why all these people hate segwit.

  • Maybe this is these miners who have billions of dollars

  • worth of equipment with these optimizations in it,

  • which would be rendered unusable by this new software change,

  • maybe they're trying to prevent it from activating.

  • It's a theory, and the mining companies said,

  • oh, no that's a bunch of nonsense.

  • Although, the way they said it was sort of suspicious.

  • They were like, yeah, we put circuitry in our chips

  • to do this, but we never used it.

  • That's strange.

  • So who knows.

  • But that's one theory.

  • I'm not sure how much I believe that's the real reason,

  • but yeah.

  • AUDIENCE: but if they want to calculate Merkle roots

  • in bitcoin, don't just--

  • order all of the transaction fees by transaction ID?

  • PROFESSOR: You can't, because the order matters.

  • Because when you validate, this transaction

  • might create an output that this transaction spends.

  • And so if you swap them, so if you didn't have intra block

  • dependencies, then it would all be arbitrary

  • and you could put in ordering.

  • But there are intra block dependencies,

  • and so the order does matter.

  • In many cases, it doesn't.

  • In many cases, these are two separate transactions.

  • You can swap them.

  • But the software does use the ordering.

  • And there's all sorts of other things that would be better.

  • What I would want is prepend or append the height

  • at each stage of the merkle tree.

  • That would have helped me out for some things.

  • Because then, it's like you know,

  • since you're at the bottom just put

  • a zero at the end of each hash.

  • And then when you get up here, put a one

  • at the end of each hash.

  • Doesn't really change anything.

  • But one problem is what if I request--

  • so what I want to do in my software.

  • I want to request all the transaction IDs in a block.

  • I don't actually care about the transactions.

  • I just want to see all the txids.

  • Like this.

  • If I get rid of the head 20, I get a giant list of txids.

  • The thing is, what this let me do is to look for transactions.

  • If I have a txid I know I'm looking, I can say,

  • oh, I can look for it in here.

  • The problem is, what if the person I'm asking

  • is giving me this instead of this?

  • I won't know.

  • They all look like random numbers.

  • If I do the merkle tree algo, I'll get to the merkle route.

  • That's good.

  • But I don't really know that I'm at the bottom.

  • It's OK if I'm running a full node

  • and I actually download all the transactions and look,

  • and OK, it works.

  • But to have a way to say, hey, give me a list of all the txids

  • and I can verify that it's correct,

  • I can't do that right now.

  • There's ways around it.

  • But it would have been nice if then they

  • appended a zero or something.

  • Or even, all you have to do is just

  • append something at the bottom row

  • or just append higher or something.

  • Then, it would've been kind of cool.

  • It would've been easier for me.

  • But oh well.

  • And there's people who've written about this.

  • Yeah.

  • AUDIENCE: Did James say that's pool operators are leaving off

  • the [? whipper? ?] And if so, does it

  • weaken the whole system?

  • PROFESSOR: I think what they really

  • do is they just don't support segwit.

  • So I've seen, especially--

  • AUDIENCE: [INAUDIBLE] it's expensive but then they--

  • PROFESSOR: Yeah, they say they're going to support it,

  • and then they don't.

  • So they sort of flag their transactions, yeah, segwit,

  • and then they haven't actually upgraded their software,

  • so they can't use it.

  • They can't mine it.

  • So you see this a lot on TestNet as well.

  • If you're making TestNet segwit transactions,

  • sometimes they just don't get confirmed

  • for a few hours, because all the blocks that come out

  • don't support it, and so they won't use it.

  • AUDIENCE: The badly written pool software,

  • if they use segwit supporting full load with it,

  • it will give them segwit transactions,

  • and they'll try to include it but it won't do this, so--

  • PROFESSOR: So it's invalid.

  • Yes, so it's invalid.

  • AUDIENCE: I guess my question is does it

  • weaken the security in the system if for six months

  • they're not supporting this?

  • PROFESSOR: No, no.

  • It hurts the usability.

  • If I want to use a segwit transact--

  • but as me running a segwit compatible node,

  • I require signatures.

  • I require all this whole construction.

  • If you make something that looks like it

  • spends the segwit transaction without this, I just reject it.

  • So security wise, it's fine.

  • Yes.

  • AUDIENCE: I think it might be important to note

  • that the way that these things are designed, and in particular

  • that softforks are designed, is that anyone who doesn't update

  • the new functionality can't hurt the security

  • of the new functionality.

  • That's sort of part of the design process.

  • PROFESSOR: Although, their security might get hurt.

  • Not a ton, but yeah.

  • If you haven't upgraded, you might

  • see these segwit transactions, and--

  • AUDIENCE: [INAUDIBLE]

  • PROFESSOR: Yeah, they look weird,

  • but you're like, OK, fine.

  • But you can't actually verify the whole thing.

  • Given an invalid and a valid segwit transaction,

  • the old software can't distinguish

  • but the new software can.

  • AUDIENCE: That's even though the pool operators, whether there's

  • six or eight key pool operators, might not

  • be supporting the witrootsub

  • PROFESSOR: If they don't support it,

  • you have to wait until someone that does

  • support it mines the block.

  • So if they try to support it and support it wrong,

  • you ignore them.

  • You don't use their data.

  • You don't use their block.

  • AUDIENCE: you just want segwit transactions stay

  • in the node pool a bit longer.

  • PROFESSOR: Yeah.

  • So I think in bitcoin now, it's OK.

  • TestNet is kind of weird, but there's segwit.party,

  • and you can see what people are doing with segwit.

  • So yeah, it's about 30.

  • This is by transaction, it's somewhere around 30 something

  • percent of the transactions are using segwit,

  • and then you can see witness size percentage, block size.

  • OK, so sometimes you got--

  • oh wow, I had no idea.

  • Blocks are way under a megabyte now.

  • Oh, OK, well free transactions for everyone.

  • If you want to use bitcoin, now's the time.

  • You don't have to pay anything.

  • That looks very different a month ago where

  • you had a solid red line.

  • You had to sort of--

  • nothing went below a million, and then you

  • had a little bit of segwit stuff going on here.

  • But now you've got most things are below a million.

  • So interesting.

  • OK, so yeah.

  • So that's the basic idea of segwit.

  • And if people have any questions,

  • stick around and ask.

  • There's office hours tomorrow at 4:00 to 6:00 over there.

  • Look at the homework, and next time

  • I'll talk about lightning network payment--

  • I'll try to get into payment channels

  • and see how far we get into lightning network stuff.

The following content is provided under a Creative

字幕と単語

ワンタップで英和辞典検索 単語をクリックすると、意味が表示されます

B1 中級

12.トランザクションの可鍛性と分離された目撃者 (12. Transaction Malleability and Segregated Witness)

  • 2 0
    林宜悉 に公開 2021 年 01 月 14 日
動画の中の単語