Softfork suggestion: how to fix transaction malleability
After conversation in #bitcoin-dev with Luke-Jr, we may have a soft-fork change (only super-majority of miners need to support it) to support non-malleable transactions.
Like with P2SH, we will take an innocent script OP_HASH160 <…> OP_EQUAL and interpret it as P2SHv2. To remain compatible with current P2SH, that script will use PUSHDATA1 (2-byte length prefix) instead of 1-byte PUSHDATA prefix (which encodes the length of data in itself).
The entire input script for P2SHv2 output will be interpreted differently.
- Input script is not stripped for SignatureHash.
- For the currently verified/signed input, corresponding output script is appended to the input script (today it replaces the input script).
- OP_NOP1 is redefined to OP_STRIP to mean “strip the following pushdata during SignatureHash”. SignatureHash will consume each opcode from left to right and replace pushdata that follows OP_STRIP with full-zero string of the same length. During execution, OP_STRIP will still be NOP.
- Pushdata ops may not be normalized.
- CHECKSIG and CHECKMULTISIG will enforce canonical format of the signature if evaluated in the context of P2SHv2.
Voting process can be identical to P2SH. Miners will put string “/P2SHv2/” in their coinbase to support the change. Once super-majority of miners support it, it will be safe for people to issue P2SH-version2 transactions. Old style transactions will still be malleable. Regular payments will be softly protected against malleability by isStandard check. Complex contracts like rapidly-adjusted micropayments would need to use P2SHv2 in order to rely on chains of unconfirmed transactions.
This change does not require regular users to upgrade their software.