Malleability within the context of Miniscript
Malleability is the chance for a 3rd social gathering to show a sound satisfaction into one other legitimate satisfaction. That’s, to vary the witness within the enter of a transaction with out making the transaction invalid.
There are numerous shortcomings to malleable witnesses. Witnesses add to the dimensions of the transaction, so if a witness may be malleated corresponding to to inflate the dimensions of a transaction it might hinder its affirmation by decreasing its feerate. Notice this may increasingly “simply” be a easy nuisance for normal utilization of onchain transactions, however this might have extra severe penalties for contracts that depend on the well timed affirmation of a transaction.
As well as, utilizing malleable satisfactions can have unfavorable exterior results on the community modified witness can have an effect on BIP152 block propagation (which is predicated on the wtxid for Segwit transactions).
Malleability is mentioned in additional particulars right here.
Malleability static evaluation in Miniscript
Malleability seems each time two legitimate satisfaction for a fraction can be found to a 3rd social gathering. Notice {that a} fragment’s satisfaction might comprise a dissatisfaction of a sub-fragment.
There are 3 ways in which malleability could also be launched:
- Two legitimate options are immediately out there to the third social gathering. As an example for instance the third social gathering is aware of the preimage to SHA256 hashes
H1andH2and a script likeand_v(v:or_i(sha256(H1),sha256(H2)),pk(A))is used. - A single legitimate resolution is immediately out there to the third social gathering, however a participant within the Script makes use of one other one. As an example for instance the third social gathering is aware of the preimage to SHA256 hash
H1however to not SHA256 hashH2and a script likeand_v(v:or_i(sha256(H1),sha256(H2)),pk(A))is used. If the participant satisfies this script by offering the preimage forH2, the third-party can substitute the satisfaction by one offering the preimage forH1. - The participant offers a witness containing a satisfaction for a sure sub-fragment that may be changed into a dissatisfaction. As an example for instance the third social gathering is aware of nothing, however
or_b(pk(A),a:pk(B))is used and a participant spends by offering each a signature for keys A and B. A 3rd social gathering can flip the signature for both A or B to the empty vector with out invalidating the witness.
In an effort to ensure malleability is probably not inadvertently launched when spending from a Miniscript, new properties are launched within the kind system primarily based on a set of common assumptions about what materials could also be out there to a 3rd social gathering.
It’s assumed:
- they do not have entry to any non-public key within the script;
- they do not have entry to extra hash preimages than these revealed within the preliminary witness;
- they solely get to see a single witness produced by members (in any other case they will mix-and-match);
- no public keys are repeated within the script (in any other case a signature for a fraction could also be “replayed” for satisfying one other fragment).
The properties are:
- whether or not satisfying this fragment requires a signature (that’s, the satisfaction just isn’t out there to a 3rd social gathering);
- whether or not dissatisfying this fragment requires a signature (identical however for dissatisfaction);
- whether or not a single dissatisfaction that doesn’t require a signature exists, and others, if there’s any, require a signature (that’s, the fragment could also be safely dissatisfied).
Non-malleable satisfaction algorithm and your instance
Malleability is checked at creation time, and a Miniscript that doesn’t comprise not less than one non-malleable satisfaction per spending path will likely be marked as unsafe (/insane). Notice this doesn’t rule out the existence of malleable satisfactions along with non-malleable ones. The satisfier must take care to solely use satisfactions which are non malleable.
Your interpretation of the algorithm is appropriate. The non-malleable satisfier will refuse to make use of the satisfaction for or_b that satisfies each branches, even when it has the required materials. Nevertheless it can use any of the 2 non-malleable satisfactions out there.
That mentioned, might you clarify to me what can be the issue if OP_0 OP_0 <sig(key)> was used as an alternative of OP_0 OP_1 <sig(key)>?
It might permit a 3rd social gathering to vary a sound witness into one other one, see the part above for rationale.
Or does maybe there imply all or_b sats ought to be marked as DONTUSE?
No, in any other case there can be no level in having an or_b fragment. 🙂 Solely all non-canonical satisfactions of or_b must be marked as DONTUSE.
Associated notes
Additionally word that malleability evaluation assumes frequent standardness guidelines, corresponding to MINIMALIF. So a miner might nonetheless malleate some witnesses even when they’re handled as non-malleable by Miniscript.
