Bitcoin developer Gregory Maxwell writes the next on Reddit:

There’s a design flaw within the Bitcoin protocol the place its attainable for a 3rd celebration to take a sound transaction of yours and mutate it in a manner which leaves it legitimate and functionally equivalent however with a unique transaction ID. This vastly complicates writing appropriate pockets software program, and it may be used abusively to invalidate lengthy chains of unconfirmed transactions that depend upon the non-mutant transaction (since transactions refer to one another by txid).

This situation arises from a number of sources, one in all them being OpenSSL’s willingness to just accept and make sense of signatures with invalid encodings. A standard ECDSA signature encodes two giant integers, the encoding isn’t fixed size— if there are main zeros you might be imagined to drop them.

It’s straightforward to put in writing software program that assumes the signature will probably be a continuing size after which depart additional main zeros in them.

This can be a very fascinating cautionary story, and is especially vital as a result of conditions like these are a part of the rationale why now we have made sure design selections in our growth philosophy. Particularly, the problem is that this: many individuals proceed to carry up the purpose that we’re in lots of locations unnecessarily reinventing the wheel, creating our personal serialization format, RLP, as a substitute of utilizing the prevailing protobuf and we’re constructing an application-specific scripting language as a substitute of “simply utilizing Lua”. This can be a very legitimate concern; not-invented-here syndrome is a commonly-used pejorative, so doing such in-house growth does require justification.

And the cautionary story I quoted above offers exactly the proper instance of the justification that I’ll present. Exterior applied sciences, whether or not protobuf, Lua or OpenSSL, are excellent, and have years of growth behind them, however in lots of instances they have been by no means designed with the proper consensus, determinism and cryptographic integrity in thoughts that cryptocurrencies require. The OpenSSL state of affairs above is the proper instance; apart from cryptocurrencies, there actually isn’t any different conditions the place the truth that you’ll be able to take a sound signature and switch it into one other legitimate signature with a unique hash is a big drawback, and but right here it’s deadly. One among our core rules in Ethereum is simplicity; the protocol must be so simple as attainable, and the protocol mustn’t include any black packing containers. Each single function of each single sub-protocol must be exactly 100% documented on the whitepaper or wiki, and applied utilizing that as a specification (ie. test-driven growth). Doing this for an current software program bundle is arguably virtually as arduous as constructing a completely new bundle from scratch; in actual fact, it might even be tougher, since current software program packages usually have extra complexity than they should with a purpose to be feature-complete, whereas our options don’t – learn the protobuf spec and evaluate it to the RLP spec to know what I imply.

Word that the above precept has its limits. For instance, we’re definitely not silly sufficient to begin inventing our personal hash algorithms, as a substitute utilizing the universally acclaimed and well-vetted SHA3, and for signatures we’re utilizing the identical outdated secp256k1 as Bitcoin, though we’re utilizing RLP to retailer the v,r,s triple (the v is an additional two bits for public key restoration functions) as a substitute of the OpenSSL buffer protocol. These sorts of conditions are those the place “simply utilizing X” is exactly the best factor to do, as a result of X has a clear and well-understood interface and there are not any delicate variations between completely different implementations. The SHA3 of the empty string is c5d2460186…a470 in C++, in Python, and in Javascript; there’s no debate about it. In between these two extremes, it’s principally a matter of discovering the best steadiness.